This is what "Ask AI" had to offer:
The client_id
is passed as a query parameter in the /app/login
endpoint to identify the application that is initiating the login request. This is necessary because FusionAuth needs to know which application's configuration to use when processing the login request. The client_id
is a unique identifier for your application in FusionAuth.
On the other hand, in the backend for the /app/callback
endpoint, the client_id
is read from the configuration file because this is the server-side part of your application. Here, the client_id
is used to authenticate your application to FusionAuth when it makes API calls. This is typically done in a secure server environment where the client_id
can be safely stored and kept secret.
In summary, the client_id
is used in both contexts but for slightly different purposes. In the /app/login
endpoint, it's used to identify the application making the request, while in the /app/callback
endpoint, it's used to authenticate the application to FusionAuth.
Although it did not satisfied me at all but it raised another question by saying, and I qoute "in a secure server environment where the client_id
can be safely stored and kept secret.". What is the world?
Talk about double standard, when frontend wanted to send it in /app/login
it is safe and secure but when it comes to /app/callback
backend is safe?
Does that mean that we can use different client_id
s? of course not. Or at least that is my understanding.