Skip to main content

Client Credentials Flow

Client credentials grant is a flow used for communication between single or multi services and applications. It can be used by, for example, applications that process batches or integrate multiple systems.

What Client Credentials Flow Is

The client credentials grant type is used when there is no user present, and the client authenticates itself with the authorization server. In other words, the client credentials grant type is used by client applications to obtain an access token beyond the context of a user, for example, in machine-to-machine environments.

Only confidential clients able to store their credentials securely can use the client credentials flow.

How Client Credentials Flow Works

The client application uses client authentication as its authorization grant, and no additional authorization is needed.

Client_Credentials_Flow.svg

  1. The client requests an access token by calling the token endpoint.

    Sample call to the token endpoint with SecureAuth as an authorization server

    This is a valid sample when a client uses client_secret_post as the client authentication method.

    curl -X POST https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/token \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-raw "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"

    Region identifier

    REGION_ID is available for recently created tenants in the tenant URL next to TENANT_ID. The region IDs are assigned as follows:

    • Australia: au

    • Europe: eu

    • USA: us

    For tenants without the region identifier, the REGION_ID parameter must be skipped.

  2. Authorization server validates the client credentials received in the request.

  3. Authorization server returns the token.

  4. The client requests protected resources from the resource server and submits the token it received in the previous step.

    Remember

    It is recommended to Limit the scope the client application can access when calling the /token endpoint. This way, the client can request only the resources it needs to access.

  5. The resource server validates the token and responds with the requested resources.

In this section: