Discussion:
[OAUTH-WG] Can i use domain name for oauth2 client id?
Viruthagiri Thirumavalavan
2016-08-28 21:51:07 UTC
Permalink
I'm working on a OAuth2 server project. Can I use domain name for
generating client_id ?

Ex: For instance if Google registering an app in my server, then the
client_id will be google.com

Am i allowed to use dots in client_id? Is it wise to use domain name as
client_id ? what are the drawbacks?
Thanks
--
Regards,
Giri
Justin Richer
2016-08-29 15:56:51 UTC
Permalink
Dots are legal in a client ID (as per the spec), and there’s nothing inherently wrong with a client ID that’s a domain name. However, how can you be sure it’s google that gets the client ID “google.com <http://google.com/>”? And what if Google wants to have two clients?

In many implementations (including ours from MIT ITC), the client ID is random (we use a type 4 UUID) and we’ve got a separate field for human-readable names (client_name, defined in the dynamic registration specification).

— Justin
I'm working on a OAuth2 server project. Can I use domain name for generating client_id ?
Ex: For instance if Google registering an app in my server, then the client_id will be google.com <http://google.com/>
Am i allowed to use dots in client_id? Is it wise to use domain name as client_id ? what are the drawbacks?
Thanks
--
Regards,
Giri
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Viruthagiri Thirumavalavan
2016-08-29 16:55:15 UTC
Permalink
Thanks Justin.

I just need a way to identify client_id. I'm planning to use 15 char for
client_id. Can I use first 3 char of domain and then random number for
client ID for the rest 12 char?

I mean something like GOO123456789123 for Google.

Thanks
Post by Justin Richer
Dots are legal in a client ID (as per the spec), and there’s nothing
inherently wrong with a client ID that’s a domain name. However, how can
you be sure it’s google that gets the client ID “google.com”? And what if
Google wants to have two clients?
In many implementations (including ours from MIT ITC), the client ID is
random (we use a type 4 UUID) and we’ve got a separate field for
human-readable names (client_name, defined in the dynamic registration
specification).
— Justin
On Aug 29, 2016, at 12:51 AM, Viruthagiri Thirumavalavan <
I'm working on a OAuth2 server project. Can I use domain name for generating client_id ?
Ex: For instance if Google registering an app in my server, then the
client_id will be google.com
Am i allowed to use dots in client_id? Is it wise to use domain name as
client_id ? what are the drawbacks?
Thanks
--
Regards,
Giri
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Regards,
Giri
Loading...