Quote of the Day

more Quotes

Categories

Recent Posts

Top Posts

Get notified of new posts

Buy me coffee

Share
Tweet

OAuth2 – Client Credentials Grant

Published June 16, 2018 in OAuth2 , security - 0 Comments

In this post, I’ll give a high-level overview of the Client Credentials Grant by example.

Client Credentials Grant:

The Client Credentials Grant is for obtaining  an access token based solely on a client’s credentials, without any user’s involvement. Simply put, the Client Credentials Grant is for machine to machine communication.

When to use the Client Credentials Grant:

According to the specs,

The client credentials grant type MUST only be used by confidential clients.

This blog post gives a clear example of a confidential client:

An example of a confidential client could be a web app, where no one but the administrator can get access to the server, and see the client password.

It makes sense the client must be a confidential client. A public client such as a Javascript  application is not capable of hiding the client’s credentials. For instance, a user can see the credentials by viewing the source code.

Example:

Suppose you are developing the payment sub system for an online book store. The sub-system consists of OAuth protected micro services. The Payment micro service handles payment processing, and the PDF micro service handles generating receipts  in pdfs. When a user purchases books, the Payment micro service processes the user’s payment and calls the PDF micro service to generate the receipt. The user does not need an account to purchase books and as such, the communication between the micro services does not involve the user . Below describes the step of obtaining a PDF receipt by accessing the PDF micro service from the Payment micro service.

  1. The Payment  micro service sends a request to the authorization service to obtain an access token, specifying the grant type as “client_credentials” and passing over the client’s credentials (client id and secret).
  2. The authorization server verifies the client’s credentials. If success, it issues an access token to the Payment micro service.
  3. The Payment micro service submits a request to the PDF micro service, passing over the access token, typically in the Authorization header as a base 64 encoded bearer token.
  4. The Payment micro service validates the access token and if valid, processes the request and returns the PDF payload of the receipt.

In summary, you should consider the Client Credentials Grant if:

  1. The client is a confidential application.
  2. The client is accessing a protected resource on its own behalf.
  3.  This is from the specs:

    The client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server.

References:

  1. The OAuth 2.0 Authorization Framework, section 4-4. 

Tags: Client Credentials Grant
Related Posts

Using MSAL angular to authenticate a user against azure ADB2C via authorization code flow with Proof Key for Code Exchange.

Azure AD authentication in angular using MSAL angular v2 library

Common frameworks, libraries and design patterns I use

Authenticate against azure ad using certificate in a client credentials flow

Migrating from Microsoft.AspNetCore.Authentication.AzureAD to Microsoft Identity Web authentication library to integrate with Azure AD.

Integrate Azure AD B2C reset password user flow in angular using oidc-client-js.

Integrate Azure AD B2C profile editing user flow in angular using oidc-client-js.

Using OAuth2 Client Credentials grant type in Azure ADB2C

No comments yet

Previous post: OAuth2 – Resource Owner Password Credentials Grant Next post: Why OAuth2 is not for authentication.