Authorization Basics

Client Credentials Flow

Client credentials grant is a flow used for communication between single or multi services and applications. It can be used by, for example, applications that process batches or integrate multiple systems.

In a Nutshell

The client credentials grant type is used when there is no user present, and the client authenticates itself with the authorization server. In other words, the client credentials grant type is used by client applications to obtain an access token beyond the context of a user, for example, in machine-to-machine environments.

Only confidential clients able to store their credentials securely can use the client credentials flow.

Authorization

The client application uses client authentication as its authorization grant, and no additional authorization is needed.

Flow in Depth

[mermaid-begin]
sequenceDiagram autoNumber participant Client application participant Authorization server participant Resource server (API) activate Client application activate Authorization server Client application->>Authorization server: Request token deactivate Client application Authorization server->>Authorization server: Validate client credentials Authorization server->>Client application: Return token activate Client application activate Resource server (API) Client application->>Resource server (API): Call API with token Resource server (API)->>Client application: Return data deactivate Resource server (API) deactivate Client application
  1. The client requests an access token by calling the token endpoint.

    Sample call to the token endpoint with Cloudentity as an authorization server

    This is a valid sample when a client uses client_secret_post as the client authentication method.

    curl -X POST https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/token \
    --header "Content-Type: application/x-www-form-urlencoded" \
    --data-raw "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"
    

    Region identifier

    REGION_ID is available for recently created tenants in the tenant URL next to TENANT_ID. The region IDs are assigned as follows:

    • Australia: au

    • Europe: eu

    • USA: us

    For tenants without the region identifier, the REGION_ID parameter must be skipped.

  2. Authorization server validates the client credentials received in the request.

  3. Authorization server returns the token.

  4. The client requests protected resources from the resource server and submits the token it received in the previous step.

    Remember

    It is recommended to Limit the scope the client application can access when calling the /token endpoint. This way, the client can request only the resources it needs to access.

  5. The resource server validates the token and responds with the requested resources.

Cloudentity as Authorization Server

Cloudentity provides application and security teams with a better way to automate and control how information is shared over APIs. As part of our services, we support the client credentials grant.

This section covers the essential steps to try the client credentials grant for applications created with Cloudentity.

In case you need more intro information, take a look at the Quickstart section. It will guide you through the key concepts Cloudentity offers. Take in the fundamentals of access management, find out the conditions of compliance with open banking, and discover how Cloudentity APIs can make your life easier.

Launch a free tenant and use the Demo workspace to explore the client credentials flow. To add users, connect a Sandbox IDP (for testing purposes) or any of IDPs from the wide range of supported by Cloudentity. Alternatively, you can connect the Cloudentity Identity Pools IDP, when you haven’t any preferred ones. Then try the client credentials grant to see how the flow goes.

To activate the client credentials grant, do the following:

  1. Enable the Client credentials grant type for the Demo workspace.

  2. Configure the OAuth settings for the Demo client application:

    • Add the Client credentials grant type.

    • Set token endpoint authentication method to Client secret post.

You can set up dynamic scopes for your application, from coarse- to fine-grained. Upon scope modifications, configure the user consent form based on your changes.

More in Cloudentity

Cloudentity supports other grant types as well. So when the client credentials grant isn’t suitable for your use case, you can select another type based on your needs.

For example, when the authorization takes place within the user context, and your client application is web-based, use the Authorization code grant. Implemented with Cloudentity, your application is authorized securely and is compliant with standards and best practices for Access management.

You can also improve the authentication experience for your native application with the refresh token flow. Cloudentity ensures the refresh token flow is protected and accomplished with solid Identity management.

Read more about oauth grant types in our article, namely, what grant types are available in Cloudentity, and choose the type that meets your case.

Updated: Nov 3, 2022