This is where you'll see and manage the clients of your workspace.
What is a client?
A client is a central part of the OAuth2 protocol. It's the definition of an application authorized to request for access tokens and user information on Fief. In other words, your application will need one of those client to be able to authenticate users from your Fief workspace.
Each client has a Client ID and a Client Secret. Those values are used during OAuth2 authentification to recognize the client.
Each workspace comes with one client, tied to the default tenant.
View client details¶
If you click on one of the client in the list, you'll see its details on the right. Especially, you'll be able to copy its ID and Secret by using the clipboard buttons.
Create a new client¶
You can create a new client by clicking the Create Client button. A modal will open where you'll be able to input its name, if it's a first-party, its type, its redirect URIs and its associated tenant.
When should I create a new client?
If you have several applications authenticating to your Fief workspace, you should consider creating new clients. Typically, if you have both a web and a mobile application, it's usually a good idea to have a client for each one.
This way, it's easier to track down where the tokens come from and mitigates the risk of compromising data if one of the application has a security breach.
Edit an existing client¶
You can edit an existing client by opening its details and click on the Edit Client button. A modal will open where you'll be able to change its name, if it's a first-party its type and its redirect URIs.
Delete a client¶
If one your client is not useful anymore, you can delete it by clicking on it on the list and click on the Delete button on the right.
Applications using this client won't be able to authenticate users anymore
Since your applications need a Client ID and Secret to authenticate users, be sure you don't need this client anymore before deleting it.
You probably noticed that your first client has a first-party badge. It means that this client is intended to be used by your own, official application.
In this context, when users log in to your application, the traditional OAuth2 consent screen is bypassed. Since you are the developer of the application, it makes sense to not ask the user for their consent to use their data on the same application!
For third-party applications, like developers from another company who want to integrate your API in their product, you'll provide them a client without this first-party flag. In this context, we want the user consent to be explicit.
OAuth2 protocol defines two types of clients, depending on the context they will be used.
- Confidential: clients where we can guarantee the safety of the client secret. It's suitable for server-based applications like Python or Node.js web applications.
Fief will allow public clients to make token request without the client secret. However, it'll require a PKCE challenge for maximum security.
During an OAuth2 authentication flow, after the user has successfully logged in, Fief will redirect them to your application with a temporary code. At that point, your application will use this temporary code to obtain a valid token.
For security reasons, Fief won't allow the user to be redirected to any URI. Instead, you have to explicitly allow every URI you'll need in your applications.
For HTTP URIs, they need to use the
http URL are not allowed. The only exception to this rule is
localhost, which can be in
http for local development purposes.
Authorization code and tokens lifetime¶
You can customize the lifetime of each one them by clicking on the Lifetimes tab from a client's details.
Make sure you know what're you doing
The default values provided should be enough for most applications and give a good balance between usability and security. Please make sure you understand all the consequences before modifying those values.