I am implementing OAuth2 resource owner password credentials using Passport.js and the oauth2-client-password strategy for the API, but am I confused about what should be client_id and client_scret? specifications for the resource owner password credential indicate:
The client makes a request to the marker endpoint, adding the following parameters using the "application / x-www-form-urlencoded" format for Application B with UTF-8 character encoding in the HTTP request entity-body:
grant_type
REQUIRED. Value MUST be set to "password".
Username
REQUIRED. The resource owner username.
password
REQUIRED. The resource owner password.
scope
OPTIONAL. The scope of the access request as described by
Section 3.3.
But the Passport.js strategy is documented for use as follows:
passport.use(new ClientPasswordStrategy(
function(clientId, clientSecret, done) {
Clients.findOne({ clientId: clientId }, function (err, client) {
if (err) { return done(err); }
if (!client) { return done(null, false); }
if (client.clientSecret != clientSecret) { return done(null, false); }
return done(null, client);
});
}
));
, : client_id client_secret, oauth2-client-password client_id secret_id?