Client Credentials Grant Type in OAuth

  • The Client Credentials grant type is used by applications/services to obtain an access token outside of the context of a user.
  • It is used when applications request an access token to access their own resources, not on behalf of a user. Example you have 2 APIs one for maintaining the users and one for sending notifications to users. When notification API has to invoke the user API it can use the client credentials grant type
  • This flow is useful for systems that need to perform API operations when no user is present. It can be nightly operations, or other that involve invocation of protected APIs.
  • It is a server to server flow and there is no user involved in the process. Therefore the resulting access token will not contain a user.
  • The general flow involves the following
    • Authenticate w/ Client ID and Secret: A app , for example an API makes a POST request to the authorization Server using its client id and secret
    • Issue Access Token: The authorization server validates the client ID and client secret and issues an access token.
    • Request Resource with Access Token: The app attempts to access the protected resource from the resource server by presenting the access token
    • Return Resource: If the access token is valid, the resource server returns the resources to the app.

Client Credentials Flow

Thank You !!

Leave a Reply