- The Client Credentials grant type is used by applications/services to obtain an access token outside of the context of a user.
- It is used when applications request an access token to access their own resources, not on behalf of a user. Example you have 2 APIs one for maintaining the users and one for sending notifications to users. When notification API has to invoke the user API it can use the client credentials grant type
- This flow is useful for systems that need to perform API operations when no user is present. It can be nightly operations, or other that involve invocation of protected APIs.
- It is a server to server flow and there is no user involved in the process. Therefore the resulting access token will not contain a user.
- The general flow involves the following
- Authenticate w/ Client ID and Secret: A app , for example an API makes a POST request to the authorization Server using its client id and secret
- Issue Access Token: The authorization server validates the client ID and client secret and issues an access token.
- Request Resource with Access Token: The app attempts to access the protected resource from the resource server by presenting the access token
- Return Resource: If the access token is valid, the resource server returns the resources to the app.
Client Credentials Flow
Thank You !!