Oauth2 client + user access tokens flow

Question

I'm using Oauth2 php library. I've followed the docs here and here This is what I have so far:

• a client application requests a token using client id & client secret to the client_credential end point
• a token is returned to the client app with a basic scope
• a user logs in from the client app
• the client application requests a new token using user id & user password to the user_credential end point
• the client app receive a new token with the new scope of the user

Everything works.

The only thing that doesn't make sense to me is that I have to pass again the client id & client secret when doing the user authorization (grant_type:'password') otherwise wise it doesn't work.

{"error":"invalid_client","error_description":"Client credentials were not found in the headers or body"}

My understanding was that since I obtained first a client token, I wouldn't have to identify the client again. I've tried passing the token instead of client id & client password for user auth but no go. What's the proper grant type combination for what I'm trying to do ?

Answer 1

A (single) client is either public , ie it has no client_secret associated with it, or confidential ie it uses a client_secret to identify itself. It cannot be both at the same time. What you could do is register a second client with a different client_id as a public client, so it won't have to use a client_secret to identify itself to the Authorization Server. You could then use that second client_id from your (single) client app in the second part of the desired flow.