Creating a client_id and registering an account using OAuth

Question

When authorizing a user for a first party mobile app API, I send the following request:

localhost:5000/oauth/token?client_id=9qFbZD4udTgFVYo0u5U9kZX2iuzbdcJDRAquTfRk&grant_type=password&username=MyUsername&password=MyPassword

The issue with this is that I need to already have an account created as well as a client_id available.

My question is, when a user downloads my app, how should I send a request to my API to create a client record (which requires a user to create since I have a foreign key linking the client to the user's ID) and user record in my database since there is not an authorization token? Thanks.

Answer 1

When any client installs your application, you can let client register first into the application. When the client registers it will hit one of the API that you have to create the client details into the system. After the client has registered then you can allow him to login and continue doing the token authentication.

User can either register into your application or use third party login like Facebook or Google for registering into the system provided your application trusts these identity providers.

Answer 2

well, you are using password grant type here, that means user understand and trust your oauth server and pass username/password to it. Other thing is that client_id is not meant to be unique for each user, its and id of application which user is going to use, so yes - its usualy aquired once during integrating client application and authorization server.

I believe you should take a look at authorization_code grant type.

Answer 3

From reading up on the answer and comments, if you are also implementing a custom backend for this, wouldn't it be better if you just send this?

localhost:5000/oauth/token?client_id=9qFbZD4udTgFVYo0u5U9kZX2iuzbdcJDRAquTfRk

From here, in your backend, just have a user table that stores this token and check to see if there is a matching token. If there isn't then create a new user object and have the user fill out the appropriate response (email, password, etc) to complete the registration.

To solve the spambot issue, either have a robot validator where certain failed attempt will kick the user out and delete the temp user obj or have the backend send a validation email to the email address it received to make sure that the email is valid.

If whatever the reason you want/need to use client_id+user+password in your url like in your question, you can do multi check where

1. client_id is new or it already exist
2. username exists

From there still send them to the registration page and fill out new user if it is taken or pre-fill the user and password that they designated

For added security I would suggest that you scramble user's password before you make that request or it could get sniped by a packet snooper