Authorization Basics

2 mins read

Client Credentials Flow

Client credentials grant is a flow used for communication between single or multi services and applications. It can be used by, for example, applications that process batches or integrate multiple systems.

What Client Credentials Flow Is

The client credentials grant type is used when there is no user present, and the client authenticates itself with the authorization server. In other words, the client credentials grant type is used by client applications to obtain an access token beyond the context of a user, for example, in machine-to-machine environments.

Get Tokens Using Client Credentials Flow

Cloudentity comes with multi-tenant authorization server as a service capable of issuing security tokens to machine-to-machine client apps in the client credentials flow.

Only confidential clients able to store their credentials securely can use the client credentials flow.

How Client Credentials Flow Works

The client application uses client authentication as its authorization grant, and no additional authorization is needed.

[mermaid-begin]
sequenceDiagram autoNumber participant Client application participant Authorization server participant Resource server (API) activate Client application activate Authorization server Client application->>Authorization server: Request token deactivate Client application Authorization server->>Authorization server: Validate client credentials Authorization server->>Client application: Return token activate Client application activate Resource server (API) Client application->>Resource server (API): Call API with token Resource server (API)->>Client application: Return data deactivate Resource server (API) deactivate Client application
  1. The client requests an access token by calling the token endpoint.

    Sample call to the token endpoint with Cloudentity as an authorization server

    This is a valid sample when a client uses client_secret_post as the client authentication method.

    curl -X POST https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/token \
    --header "Content-Type: application/x-www-form-urlencoded" \
    --data-raw "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"
    

    Region identifier

    REGION_ID is available for recently created tenants in the tenant URL next to TENANT_ID. The region IDs are assigned as follows:

    • Australia: au

    • Europe: eu

    • USA: us

    For tenants without the region identifier, the REGION_ID parameter must be skipped.

  2. Authorization server validates the client credentials received in the request.

  3. Authorization server returns the token.

  4. The client requests protected resources from the resource server and submits the token it received in the previous step.

    Remember

    It is recommended to Limit the scope the client application can access when calling the /token endpoint. This way, the client can request only the resources it needs to access.

  5. The resource server validates the token and responds with the requested resources.

Updated: Sep 8, 2023