Skip to main content

OAuth Clients

A private OAuth Client is an OAuth Client protected by a Client ID and a Client Secret. A public OAuth Client is protected by a Client ID but has no Client Secret.

OAuth Clients also specify an acceptable set of Redirect URLs. As part of the OAuth authorization flow, the Authorization Server will redirect users back to the original property via a Redirect URL. The specified Redirect URL must be one of the URLs from the acceptable set of Redirect URLs.

In addition to the Scopes field set as part of the authorization request, OAuth Clients in IMS have a set of available permissions assigned to them at creation time. The permissions embedded in the returned Access Token are, therefore, the intersection of the user's actual permissions, the OAuth Client's available permissions, and the requested Scopes. Read more about this in the IMS Permissions and Scopes guide.

An example of the OAuth Client available permissions is when creating an OAuth Client for a given organization. This OAuth Client will only be able to retrieve permissions that provide access to projects in that organization. Read more about this in the Creating your own OAuth Clients guide.

Private OAuth Clients

Private OAuth Clients should be used when the Client Secret can be safely hidden. There are no additional checks required when generating an Authorization Code or an Access Token.

Public OAuth Clients

Public OAuth Clients should be used when a Client Secret cannot be safely hidden, for example when embedded in a CLI tool or within Javascript on a webpage. When using a public OAuth Client you must use PKCE to generate Authorization Codes and exchange them for Access Tokens.

Creating your own OAuth Clients

You can create your own OAuth Clients to build your own applications for managing access to Improbable IMS services and APIs. To do this you should use the IMS Admin API or GUI. See the IMS Admin documentation for more information on this (coming soon).