FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    why "client_id" is passed down in query param in "/app/login" endpoint while it is being read from config file in backend for "app/callback" endpoint

    Scheduled Pinned Locked Moved Solved
    Q&A
    2
    4
    423
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kasir-barati
      last edited by kasir-barati

      Hi dear reader,

      I am implementing the backend to comply with @fusionauth/react-sdk lib specification. But right now I am pretty confused about the reason we are passing along client_id from our ReactJS application (see here).

      Then in our backend we are reading it: https://github.com/FusionAuth/fusionauth-javascript-sdk-express/blob/main/routes/login.js#L12

      Fair enough and I could relate to that, we might want to let client to specify client_id to be more flexible in terms of being able to serve different clients.

      But then I went ahead and tried to implement the next endpoint which necessary: /app/callback. There I was shocked, why in the worlds we are reading the client_id from a config file that is in backend?

      I am just at a lost at this point to be honest. This implementation does not make sense to me at all. I thought it might be a bug and went for creating a new issue for the lib but then decided to ask it first here and if no one answered my call I'll create one.

      K 1 Reply Last reply Reply Quote 0
      • J
        jloew
        last edited by

        Further discussion on this issue can be seen here: https://github.com/FusionAuth/fusionauth-javascript-sdk-express/issues/11

        1 Reply Last reply Reply Quote 1
        • K
          kasir-barati @kasir-barati
          last edited by

          This is what "Ask AI" had to offer:

          The client_id is passed as a query parameter in the /app/login endpoint to identify the application that is initiating the login request. This is necessary because FusionAuth needs to know which application's configuration to use when processing the login request. The client_id is a unique identifier for your application in FusionAuth.

          On the other hand, in the backend for the /app/callback endpoint, the client_id is read from the configuration file because this is the server-side part of your application. Here, the client_id is used to authenticate your application to FusionAuth when it makes API calls. This is typically done in a secure server environment where the client_id can be safely stored and kept secret.

          In summary, the client_id is used in both contexts but for slightly different purposes. In the /app/login endpoint, it's used to identify the application making the request, while in the /app/callback endpoint, it's used to authenticate the application to FusionAuth.

          Although it did not satisfied me at all but it raised another question by saying, and I qoute "in a secure server environment where the client_id can be safely stored and kept secret.". What is the world?

          Talk about double standard, when frontend wanted to send it in /app/login it is safe and secure but when it comes to /app/callback backend is safe?

          Does that mean that we can use different client_ids? of course not. Or at least that is my understanding.

          K 1 Reply Last reply Reply Quote 0
          • K
            kasir-barati @kasir-barati
            last edited by

            Will create an issue on GH and update you guys here too.

            1 Reply Last reply Reply Quote 0
            • J
              jloew
              last edited by

              Further discussion on this issue can be seen here: https://github.com/FusionAuth/fusionauth-javascript-sdk-express/issues/11

              1 Reply Last reply Reply Quote 1
              • K kasir-barati has marked this topic as solved on
              • First post
                Last post