I am implementing an OAuth 2 provider and am wondering if it’s necessary to generate both an API key and a client id for clients when they register an app with my provider.
From looking at OAuth 1.0a providers like Google and Twitter, they only have one key for clients, but Facebook (OAuth 2) has both an API key and an application id, but uses the app id as their “client_id” param in their OAuth 2 dance.
I’m pretty sure neither the OAuth 1.0a nor OAuth 2 spec specifies more than one key for the client.
I am not sure in what context a provider would need to generate both for a client app.
I bet that Google and Twitter also uses application IDs in their database record for each application. In twitter, when you manage your OAuth apps you go to http://dev.twitter.com/apps/1234 where 1234 is the application ID.
It’s just that in Facebook, they started using “apps” before OAuth and they have been using the application ID for apps to identify itself in requests since the start. It probably is just a some decision their developers made to lessen the complexity on their end.
In conclusion the application id is just their way of keeping track of applications, so the question is how will you?
Just note that when an application is compromised there should be an option to reset the consumer key and/or secret.