OAuth2 Client Setup
Purpose: Explain what information Quran Foundation needs to create your OAuth2 client. Use this when: You are requesting access or updating client settings. Do not use this when: Your client is already provisioned and you only need SDK code. Backend required: Not for setup itself. Allowed runtimes: Any. Required credentials: None yet. Minimal import: None.
What The Request Access Form Asks For
| Field | Why it matters |
|---|---|
| App name | Shown to users on login and consent screens |
| Redirect URIs | Where users return after login |
| Post-logout redirect URIs | Where users return after logout |
| Website URL | Lets users identify your app |
| Privacy policy URL | Required for trust and compliance |
| Terms of service URL | Required for trust and compliance |
| Logo URL | Optional, but improves consent screen clarity |
Use Request Access to submit these details. For redirect URIs and post-logout redirect URIs, add each URL in its own row.
Important Question
Ask this clearly:
Is my client confidential or public?
If Quran Foundation does not explicitly say your client is public, assume it is confidential and plan for backend token exchange.
For a confidential client, the browser should never hold client_secret. The backend or BFF keeps it, exchanges the code, refreshes the session, and stores tokens server-side. That is true even if your frontend runs on the edge.