| Table of Contents | ||
|---|---|---|
|
OAuth2 Protocol and JWT
...
The response from either of the above endpoints would provide the edX-issued JWT token as follows:
{"access_token": "
", "token_type": "JWT", "expires_in": 2591999, "scope": ""}
...
The mobile app is referred to by a Client ID, which is an authorization-server issued string identifier to identify (not authenticate) the client making the request. On edX production servers, we use one common Client ID for all iOS clients and another common Client ID for all Android clients. The Client ID is not intended to be a secret, but rather, a way to associate requests with a client (or a group of clients in this case). In django, Client IDs are managed using the OAuth2 Client page on the django admin interface (/admin/oauth2_provider/clientapplication/).
Although a Client Secret is automatically generated for each OAuth2 Client in django, Client Secrets for mobile apps are not are NOT to be used. And they definitely should not be distributed, transported to, configured or stored on the apps. As the RFC states, we assume we cannot authenticate a mobile app since any client credential can be extracted by tampering with the local device.
...