An OAuth client is the combination of a set of credentials (at least a
client_id, and often a client_secret or key), the server endpoints it
talks to, and an authentication mechanism. You'll get the credentials when
you register the client on the API's website. Supply the token_url
directly, or pass the result of oauth_server_metadata() as metadata to
fill in all of the server's endpoints at once.
Arguments
- id
Client identifier.
- token_url
Url to retrieve an access token. Not needed if
metadatais supplied, which sets it from thetoken_endpoint.- secret
Client secret. For most apps, this is technically confidential so in principle you should avoid storing it in source code. However, many APIs require it in order to provide a user friendly authentication experience, and the risks of including it are usually low. To make things a little safer, I recommend using
obfuscate()when recording the client secret in public code.- key
Client key. As an alternative to using a
secret, you can instead supply a confidential private key. This should never be included in a package.- auth
Authentication mechanism used by the client to prove itself to the API. Can be one of three built-in methods ("body", "header", or "jwt"), or a function that will be called with arguments
req,client, and the contents ofauth_params.The most common mechanism in the wild is
"body"where theclient_idand (optionally)client_secretare added to the body."header"sends theclient_idandclient_secretin HTTP Authorization header."jwt_sig"will generate a JWT, and include it in aclient_assertionfield in the body.See
oauth_client_req_auth()for more details.- auth_params
Additional parameters passed to the function specified by
auth.- name
Optional name for the client. Used when generating the cache directory. If
NULL, generated from hash ofclient_id. If you're defining a client for use in a package, I recommend that you use the package name.- metadata
An
oauth_server_metadata()object. When supplied, the client's server endpoints are taken from the discovery document, so the OAuth flows can find them without you passing each one. An explicittoken_urlstill wins overmetadata.
