oauth2.dev

client_id

IETF

Registry Context

`client_id` identifies a client registration at an authorization server. It is required in authorization code authorization requests and must be sent by an unauthenticated client when exchanging an authorization code.

Technical Summary

RFC 6749 defines the client identifier as a non-secret string issued by the authorization server and unique to that server. It cannot be used alone for client authentication. Clients may use the `client_id` request parameter to identify themselves at the token endpoint.

When Used

Authorization code authorization requests, unauthenticated authorization code token requests, and optional client identification at the token endpoint.

Normative Requirements

Clients

MUST
1
  1. RFC 6749 - Section 3.2.1

    Send its `client_id`..

    Condition: When the client is unauthenticated and sends an authorization code grant request to the token endpoint.

    An unauthenticated client MUST send its "client_id".

REQUIRED
2
  1. RFC 6749 - Section 4.1.1

    Include `client_id` in the authorization request..

    Condition: When constructing an authorization code authorization request.

    client_id REQUIRED

  2. RFC 6749 - Section 4.1.3

    Include `client_id` in the token request..

    Condition: If the client is not authenticating with the authorization server.

    client_id REQUIRED, if the client is not authenticating

MAY
1
  1. RFC 6749 - Section 3.2.1

    Use the `client_id` request parameter to identify itself when sending requests to the token endpoint..

    A client MAY use the "client_id" request parameter to identify itself.

Authorization servers

MUST
1
  1. RFC 6749 - Section 4.1.3

    Ensure the authorization code was issued to the authenticated confidential client or, for a public client, to the `client_id` in the request..

    Condition: When processing an authorization code token request.

    The authorization server MUST ensure that the authorization code was issued to the applicable client.

SHOULD
1
  1. RFC 6749 - Section 2.2

    Document the size of any client identifier it issues..

    The authorization server SHOULD document the size of any identifier it issues.

Unspecified actor

MUST NOT
1
  1. RFC 6749 - Section 2.2

    Use the client identifier alone for client authentication..

    The client identifier MUST NOT be used alone for client authentication.

Validation Guidance

error

Reject authorization code authorization requests that omit `client_id`.

error

Reject authorization code token requests that omit `client_id` when the client is not authenticated.

error

Verify that the authorization code was issued to the authenticated confidential client or, for a public client, to the `client_id` in the request.

error

Do not treat `client_id` as a standalone authentication credential or secret.

warning

Document the supported size of issued client identifiers.

Security Notes

RFC 6749 - Section 2.2

The client identifier is not a secret and is exposed to the resource owner.

RFC 6749 - Section 3.2.1

Sending `client_id` in an unauthenticated authorization code token request helps prevent a client from accepting a code intended for another client, but provides no additional security for the protected resource.

Reference

Details

Entry Id
client_id
Name
client_id
Parameter Usage Location
authorization request, token request
Change Controller
IETF
Reference
RFC6749