Client Id and Client Secret

Hi @budd.renaud

This is in regards to OpenID Connect (OICD) Workflow - Auth Portal
After receiving authorization code, we make a request to /token endpoint where we use clientId in body as one of the params and it is used for authorization along with code to receive access and refresh tokens.

There is one more way to make same request to /token where Base64 encoding of (clientId : Client Secret) pair is added in Authorization header of the /token request. It eliminates the use of client Id in body then. I want to know if this is supported and if we also will happen to receive a client secret along with client Id for an app.

There are actually two client IDs that are referenced in the API documentation for Auth:

  1. The “client_Id” used to identify the application where the request originated from. This is the ID that I emailed your team on July 6th.
  2. The “client_Id” that is the unique identifier for a Client object (see the Admin API) that can be used like an application/service account to obtain a token that isn’t tied to a specific user but can have a similar role/permissions as a user. This is paired with a “client_secret” which is generated and returned in the response body when you create the Client object.

This is obviously confusing, the first “client_Id” really should be called “application_Id” or something similar. The second “client_Id” is used with grant_type=client_credentials along with the “client_secret”.