In this post in the OAuth2.0 series, I will focus on what is oAuth 2.0 client credential grant type. In this post, we will understand what is client credential grant type, where can we use it and also a simple sequence diagram to elaborate on the concept. You can read my earlier posts in the same oAuth2.0 series on other various grant types like OAuth 2.0 authorization code (with refresh token) grant flow, OAuth 2.0 implicit grant flow, OAuth2.0 resource owner password credential flow.
Stakeholders in the process
Resource Owner (Client App) – A user or an application who/which owns a protected resource on the Resource Server. If you notice, this is significantly different than the other grant types. Here the client app itself is the resource owner. The client app itself requests an access token to access their own resource, not on behalf of a user.
Resource Server (service/API server) – It’s the server that hosts the protected resource. This data/resource is to be shared with the client application.
Authorisation Server – It issues access tokens after the Client App successfully authenticates itself and provides all the necessary authorisation.
Authorization Server exposes AUTHORIZATION end point – This is responsible for validating the client credential and providing the client with access token and other information.
Client Id – The client must have a unique id and is called Client Id
Client Secret – The client must also have a client secret. This is used to prevent situations fraudulent request is sent.
Access Token – This is the token that is used while obtaining the data from restricted resource.
Where to use OAuth2.0 client credential grant type
The client credential grant type is used when the application itself is resource owner and it requests for access token for itself. There is no end-user entity participating in the grant type. This type of authentication grant can be used for machine-to-machine authentication. It can be used when an application wants to update its own information via an API.
Look at the above sequence diagram; the flow starts when Resource Owner/Client app hits the authorisation server for access token. In the process, it sends following parameters –
client_id/client_secret – This is the unique identification number and corresponding secret of the client. It’s used to authenticate client for the request. Typically, these are sent over a query parameter or as HTTP Basic Authentication header.
scope – For which the Client is requesting authorisation. These are space delimited list of scope string; for example – profile, email, location etc.
grant_type – It’s defaulted to client_credential.
The AUTH server authenticates the client with its client_id/client_secret in the request.
Once successfully authenticated, the AUTH server then responds back to the client with following infromation –
token_type with value as Bearer
access_token with the access token value
expires_in with the value indicating the life-time of the access token
STEP 4 & 5
Client then uses the access token to hit the protected resource URL and accesses the protected data.
With this post, I conclude the series on OAuth2.0 different popular grant types. Hope it helps in getting a good idea of what OAuth 2.0 and what are the concepts of different grant types.