Overview#

OAuth Client (RP) is an Actor and a Relying Party within OAuth 2.0 and OpenID Connect and is typically the application making requests to the Resource Server after being delegated by the Resource Owner.

An application requesting Access Token(s) from the Authorization Server to be granted access to a Resource Server which hosts Protected Resources on behalf of the Resource Owner.

OAuth Client that supports OpenID Connect is also called a Relying Party. This name is used because the fact that it relies on the OpenID Connect Provider to provide Authentication of the End-User.

OAuth 2.0 specification defines OAuth 2.0 Client Types:

• Confidential
• OAuth Public Client

OAuth 2.0 Profiles#

The OAuth 2.0 specification also mentions a set of OAuth 2.0 Profiles. These profiles are concrete OAuth 2.0 Client Types of applications, that of any OAuth 2.0 Client Types

Creating an OAuth 2.0 Client Application#

Creating an OAuth 2.0 Client Application can be complex so we tried to document at least the basics.

OAuth Client User-Managed Access #

OAuth Client may have a Client Operator that is the User-Managed Access (UMA) Legal Person that operates the OAuth Client.

More Information#

There might be more information for this subject on one of the following:

• API-Gateway
• Abstract Protocol Flow
• Access Token
• Access Token Request
• Access Token Type
• Access Token Validation
• Acr_values
• AppAuth
• Application_type
• Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
• Authentication Context Class
• Authentication Request
• Authorization API
• Authorization API Token
• Authorization Code
• Authorization Code Flow
• Authorization Cross Domain Code 1.0
• Authorization Grant
• Authorization Request
• Authorization Request Parameters
• Authorization Response
• Authorization Server
• Authorization_code
• Authorization_endpoint
• Back-channel Communication
• Claimed Https Scheme URI Redirection
• Claims_locales
• Client Authentication Methods
• Client Credentials Grant
• Client Operator
• Client Secret
• Client_assertion
• Client_id
• Client_secret_basic
• Client_secret_post
• Code_challenge
• Code_challenge_method
• Code_verifier
• Covert Redirect Vulnerability
• Creating an OAuth 2.0 Client Application
• Custom URI scheme
• Default_acr_values
• Encoding claims in the OAuth 2 state parameter using a JWT
• Form Post Response Mode
• Fragment Response Mode
• Grant Types
• Grant_type
• Hybrid Flow
• Id_token_hint
• Identity Token
• Identity Token Claims
• Identity Token Validation
• Implicit Flow
• Implicit Grant
• Implicit Scopes
• Include_granted_scopes
• Invalid_grant
• Invalid_token
• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
• JWK Set
• Jwks_uri
• Login_hint
• Loopback URI Redirection
• Macaroons
• Malicious Endpoint
• Mod_auth_openidc
• Mutual TLS Profiles for OAuth Clients
• Mutual TLS Sender Constrained Resources Access
• OAuth 2.0 Actors
• OAuth 2.0 Audience Information
• OAuth 2.0 Authorization
• OAuth 2.0 Authorization Server Metadata
• OAuth 2.0 Client Registration
• OAuth 2.0 Client Types
• OAuth 2.0 Device Authorization Grant
• OAuth 2.0 Device Profile
• OAuth 2.0 Dynamic Client Registration Management Protocol
• OAuth 2.0 Dynamic Client Registration Protocol
• OAuth 2.0 Endpoints
• OAuth 2.0 JWT Secured Authorization Request
• OAuth 2.0 Message Authentication Code (MAC) Tokens
• OAuth 2.0 Mix-Up Attack
• OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens
• OAuth 2.0 NOT an Authentication protocol
• OAuth 2.0 Profiles
• OAuth 2.0 Protocol Flows
• OAuth 2.0 Security Best Current Practice
• OAuth 2.0 Software Statement
• OAuth 2.0 Token Exchange
• OAuth 2.0 Token Exchange Request
• OAuth 2.0 Token Introspection
• OAuth 2.0 Token Revocation
• OAuth 2.0 for Native Apps
• OAuth Confidential Client
• OAuth Dynamic Client Registration Metadata
• OAuth Error
• OAuth Parameters Registry
• OAuth Public Client
• OAuth Scope Example
• OAuth Scope Validation
• OAuth Scopes
• OAuth Token Request
• OAuth Token Response
• OpenID Connect
• OpenID Connect Authorization Flow
• OpenID Connect Client
• OpenID Connect Client Initiated Backchannel Authentication Flow
• OpenID Connect Federation
• OpenID Connect Flows
• OpenID Connect Scopes
• OpenID Connect User Questioning API
• OpenIG
• Permission Ticket
• Permission ticket
• Permission_registration_endpoint
• Privileged Scope
• Prompt Parameter
• Proof Key for Code Exchange by OAuth Public Clients
• Protection API
• Protection API Token
• Query Response Mode
• Redirect_uri
• Refresh Token
• Refresh Token Grant
• Registration_endpoint
• Relying Party
• Requesting Party
• Resource Owner Password Credentials Grant
• Resource Server
• Response Type
• Response_mode
• Response_type
• Revocation Request
• Revocation_endpoint
• Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
• Self-Issued OpenID Provider
• Service Provider
• Sub
• Subject_type
• Ticket
• Token Introspection Endpoint
• Token_endpoint
• Token_type
• Token_type_hint
• UMA 2.0 Grant for OAuth 2.0
• UMA 2.0 Grant for OAuth 2.0 Authorization
• Unauthorized_client
• Unsupported_response_type
• Upgraded
• User-Managed Access
• UserInfo Request
• UserInfo Response
• Want_composite
• Web Blog_blogentry_010317_1
• Web Blog_blogentry_031017_1
• Web Blog_blogentry_140218_1
• Web Blog_blogentry_140615_1
• Web Blog_blogentry_180216_1
• Web Blog_blogentry_230717_1
• Web Blog_blogentry_260715_1
• Web Blog_blogentry_300717_1

---

• [#1] - OAuth 2.0 Client Types - based on data observed:2015-05-18