OAuth2 – Client Credentials Grant
In this post, I’ll give a high-level overview of the Client Credentials Grant by example.
Client Credentials Grant:
The Client Credentials Grant is for obtaining an access token based solely on a client’s credentials, without any user’s involvement. Simply put, the Client Credentials Grant is for machine to machine communication.
When to use the Client Credentials Grant:
According to the specs,
The client credentials grant type MUST only be used by confidential clients.
This blog post gives a clear example of a confidential client:
An example of a confidential client could be a web app, where no one but the administrator can get access to the server, and see the client password.
It makes sense the client must be a confidential client. A public client such as a Javascript application is not capable of hiding the client’s credentials. For instance, a user can see the credentials by viewing the source code.
Example:
Suppose you are developing the payment sub system for an online book store. The sub-system consists of OAuth protected micro services. The Payment micro service handles payment processing, and the PDF micro service handles generating receipts in pdfs. When a user purchases books, the Payment micro service processes the user’s payment and calls the PDF micro service to generate the receipt. The user does not need an account to purchase books and as such, the communication between the micro services does not involve the user . Below describes the step of obtaining a PDF receipt by accessing the PDF micro service from the Payment micro service.
- The Payment micro service sends a request to the authorization service to obtain an access token, specifying the grant type as “client_credentials” and passing over the client’s credentials (client id and secret).
- The authorization server verifies the client’s credentials. If success, it issues an access token to the Payment micro service.
- The Payment micro service submits a request to the PDF micro service, passing over the access token, typically in the Authorization header as a base 64 encoded bearer token.
- The Payment micro service validates the access token and if valid, processes the request and returns the PDF payload of the receipt.
In summary, you should consider the Client Credentials Grant if:
- The client is a confidential application.
- The client is accessing a protected resource on its own behalf.
- This is from the specs:
The client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server.
References:
Related Posts
Using MSAL angular to authenticate a user against azure ADB2C via authorization code flow with Proof Key for Code Exchange.
Azure AD authentication in angular using MSAL angular v2 library
Common frameworks, libraries and design patterns I use
Authenticate against azure ad using certificate in a client credentials flow
Migrating from Microsoft.AspNetCore.Authentication.AzureAD to Microsoft Identity Web authentication library to integrate with Azure AD.
Integrate Azure AD B2C reset password user flow in angular using oidc-client-js.
Integrate Azure AD B2C profile editing user flow in angular using oidc-client-js.
Using OAuth2 Client Credentials grant type in Azure ADB2C
