oauth tutorial - OAuth Client Credentials - oauth2 tutorial - oauth authentication
What is Client Credentials in OAuth 2.0?
- The client credentials are used as an authorization grant when the client is the resource owner to protected resources which is done under the control of the client.
- The client credentials requests an access token only with the help of client credentials.
- The client credentials authorization flow is used to acquire an access token in order to authorize API requests.
- The Client Credentials grant is used when the applications request an access token to access their own resources, which is done based on the user
- Using client credentials authorization, access token is acquired which grants permission for the client application to search and get catalog documents.
- The diagram which is given below describes the client credentials flow
Learn OAuth 2.0 - OAuth 2.0 tutorial - process of client credentials flow in oauth - OAuth 2.0 examples - OAuth 2.0 programs
Description of the diagram:
- The client sends the client credentials with the authorization server authenticates with the authorization server
- The authorization server authenticates the client and provides access token with no refresh token and send it back to the client
- The client access protected resource with the access token in the resource server
- Hence the resource sends back a protected resource response to the client
- The table which is given below lists the concepts of Client Credentials.
|Sr.No.||Concept & Description|
|1||Obtaining End-User Authorization
The authorization end point is typically URI on the authorization server in which the resource owner logs in and permits to access the data to the client application.
The authorization response can be used to get the access token for accessing the owner resources in the system using the authorization code.
|3||Error Response and Codes
The authorization server responds with a HTTP 400 or 401 (bad request) status codes, if an error occurs during authorization.
Client Credentials Grant flow
- The Client Credentials grant is suitable for machine-to-machine authentication The client Credentials grant sends a POST request with parameters which are given below to the authorization server:
- grant_type is a grant with the value client_credentials
- client_id is a client_id which is given
- Client_secret is a client’s secret which is used to redirect the URL.
- Scope is done with a space-limited list of requested scope permissions.
- The Client Credentials grant will respond with a JSON object with parameters which are given below to the authorization server:
- token_type is given with the value Bearer
- expires_in with an integer represents the TTL of the access token
- access token is a JWT signed with the authorization server’s private key
Learn OAuth 2.0 - OAuth 2.0 tutorial - process of client credentials grant flow in oauth - OAuth 2.0 examples - OAuth 2.0 programs
Client Credentials Grant Request
- The client credentials Grant Request makes a request to the authorization server, including the HTTP basic authentication header and optionally a client assertion.
- The client credentials Grant Request can use a generated client assertion or build a new assertion client.
- Hence the client credentials grant request contains the parameters which are given below:
|grant_type||It is required and must be set to client_credentials.|
|scope||It is optional and also known as the scope of the authorization.|
Client Credentials Grant Response
- The Client Credentials Grant Response authenticates the client based on the authorization header or assertion.
- If the client credentials Grant Response is authenticated, then the client gets an access token as a grant response.
- The client credentials grant response contains the parameters which are given below:
- The access_token is the access token which is assigned by the authorization server.
- The token_type is a type of token which is assigned by the authorization server.
- The expires_in is a number of seconds after which the access token expires, and is no longer valid.
- A refresh token should not be included for this type of authorization request.