OAuth 2.0 - Should Client Identifier be unique for each user or only by client type?
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Oauth 2 Specification, Section 2.2. (Client Identifier) states -
The authorization server issues the registered client a client identifier -- a unique string representing the registration information provided by the client. The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication. The client identifier is unique to the authorization server.
My question is whether the Client ID should be unique for each end user or only by client type?
For example if I have a native app client, should each app install get it's own client ID or should all apps get the same client ID?
And is it the same for the client_secret?
Solution
Your native app client should use one client ID. In fact for most services you will get only one ID for your registered client (app).
It seems like you have some problems with the terminology in OAuth 2.0 (client, resource owner, resource, authorization), so maybe read a tutorial e.g. this short one to get a grasp for it.
