I'm currently creating my app within the Zapier platform. I have OAuth endpoints setup in my application, hosted on Heroku. From my understanding of OAuth, I need to store Zapier's client_id and client_secret in my app's database to identify who (Zapier in this case) is requesting API access to my app through the OAuth flow.
Zapier is asking me for my app's client_id and client_secret (why?), but they haven't given me theirs. Not sure how I'm supposed to get a successful authorization if they won't give me their client_id and client_secret.
Is my understanding of OAuth wrong? How am I supposed to identify who is requesting access to my API?
I've tried finding explanations for OAuth flows and looked through Zapier's documentation but there seems to be a general lack of useful information around this topic.
You are required to create an identity with your identity provider (AAD, for example) for your application in Zapier and configure a secret for it. The ID of this application and the generated secret are to be configured in Zapier.
These details will be used to generate tokens for use by the client in Zapier. Your API should have logic to decode these tokens to really identify the client (based on its ID baked into the token).
It is the ID and secret you generate for the client application with your identity provider that you term as Zapier Client ID and Secret, and these are not necessarily Zapier's own credentials.