Question posted in 
I am having some difficulty understanding OAuth and some of it’s terms. Specifically the idea of the Client. I am wondering if I might be misunderstanding the RFC 6749 as it relates to a Client.
I have an of API that I would like to access via a Javascript web application (HTML and jQuery). The Javascript application will use jQuery to make AJAX calls to the API. Depending on the username/password submitted by the user of the Javascript application different API’s will be available.
In this context, is my Javascript application considered the Client by OAuth? I am confused because other documentation I have read refers to the Client as the third party application, yet in my case this is not a third party application. I am not making use of third party logins (such as Google, Facebook, or Twitter). Is the Client that OAuth is referring only apply to third party logins?
2
Answers
Your question is a little light on detail, but it sounds like you’re planning on using the Client Credential OAuth flow:
Either way, yes, your Javascript application would be considered the Client. According to the definition in the specification:
And consistent with the article you linked to, the Client is typically considered the third-party in OAuth. The first two parties would be the resource owner (i.e. user) and the resource / authorization server. Of course, the term isn’t very useful in the Client Credential flow where "the client is requesting access to the protected resources under its control".
The
clientis your Javascript application.third party applicationorrelying partyalso designate your client.To be more clear, a client is an application that will interact with the authorization server or the resource server
The flow you described is the Resource Owner Password Credentials Grant. However, if your client and the authorization server do not have a trust relationship, I recommend you to use the Implicit Grant which is designed for scripting application.