Exam 350-901 topic 1 question 327 discussion

A. cliend id very obvious, it identifies the client

This is an awkwardly phrased question. But it's asking for the client ID that is a unique identifier that identifies the client application, and thus associates the resource owner's permissions with the client application. The resource owner is not unique (although it's an individual person, or group of people), as this person (or group of people) can authenticate multiple times, maybe even simultaneously from multiple separate client apps. It's the client ID assigned each time to each client app that is unique.

https://www.ibm.com/docs/en/datapower-gateway/7.6?topic=flows-three-legged-oauth-flow

The client ID is a unique identifier for an OAuth client. The OAuth client uses its client ID and client secret or its client ID and client certificate to provide identity and optionally the credentials. The other options in the question are not unique identifiers, but roles or components of the OAuth2 three-legged authorization code flow2.

Client ID is assigned to the resource owner by Authorization Server From DEVCOR Study Guide.

Option B B. Resource owner In the OAuth2 three-legged authorization code flow, there are three parties involved: the client application, the authorization server, and the resource owner (the user). The flow involves multiple steps where the client application first requests authorization from the user (the resource owner) by redirecting them to the authorization server. The user then grants or denies authorization, and if they grant it, the authorization server issues an authorization code to the client. The client then uses this authorization code to obtain an access token from the authorization server, which can be used to access the protected resources on behalf of the user. The client ID is a unique identifier that is assigned to the client application by the authorization server when the client registers with the server. The authorization server is the server responsible for issuing access tokens to the client after the client presents the authorization code. The resource server is the server that hosts the protected resources that the client is trying to access using the access token.