Before a service can use Alias a client needs to be registered for it. A client represents the service to Alias and users. It includes a range of details that help the service interact with Alias securely, and provides information to the user about the service.
Confidential clients are issued with a client secret that allows them to authenticate with Alias. The client ID and client secret are together referred to as client credentials.
Most services should use a confidential client.
Client credentials allow acting as a client, so must always be kept secure. Do not use them from a frontend, or any other unsecured context.
Public clients do not have client secrets, so can't authenticate with Alias. As they don't have credentials to keep secure, they can be used directly from a frontend, but at the cost of being limited to "online" access - i.e. they can only use granted permissions when a user is logged in.
A public client can't:
- Request the
- Use refresh tokens to get new user tokens,
- Use the client credentials grant to get client tokens,
- Use client endpoints.
The only practical use case for public clients is to authenticate users directly from a frontend. If a service needs to contact users, it almost always needs a confidential client.