Terminology problem: Don’t call client secrets keys

The draft currently says “OAuth defines an alternative method for clients to authenticate with symmetric client keys through the use of the client_id and client_secret parameter in the message request body.” The client secret isn’t a key, a key is something that locks something like a hash or encryption. The client secret is a secret or more properly it’s a bloody password. But whatever you call it, it isn’t a symmetric key so please don’t use that term.

This terminology problem also occurs in the sentence “Asymmetric client authentication allows the client to authenticate with the authorization server without sending its secret key.” The client isn’t sending a secret key – it’s sending a client secret.

Comments (6)