What Client Credentials Flow Is
The client credentials grant type is used when there is no user present, and the client authenticates itself with the authorization server. In other words, the client credentials grant type is used by client applications to obtain an access token beyond the context of a user, for example, in machine-to-machine environments.
Get Tokens Using Client Credentials Flow
Cloudentity comes with multi-tenant authorization server as a service capable of issuing security tokens to machine-to-machine client apps in the client credentials flow.
Only confidential clients able to store their credentials securely can use the client credentials flow.
How Client Credentials Flow Works
The client application uses client authentication as its authorization grant, and no additional authorization is needed.
-
The client requests an access token by calling the token endpoint.
Sample call to the token endpoint with Cloudentity as an authorization server
This is a valid sample when a client uses client_secret_post as the client authentication method.
curl -X POST https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/token \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-raw "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"
Region identifier
REGION_ID
is available for recently created tenants in the tenant URL next to TENANT_ID. The region IDs are assigned as follows:-
Australia: au
-
Europe: eu
-
USA: us
For tenants without the region identifier, the
REGION_ID
parameter must be skipped. -
-
Authorization server validates the client credentials received in the request.
-
Authorization server returns the token.
-
The client requests protected resources from the resource server and submits the token it received in the previous step.
Remember
It is recommended to Limit the scope the client application can access when calling the
/token
endpoint. This way, the client can request only the resources it needs to access. -
The resource server validates the token and responds with the requested resources.