Client credentials flow in OAuth 2.0 is generally used for authenticating the service rather than the user. This grant_flow is used for machine to machine communication.
In this grant flow, the client registers itself with the OAuth 2.0 compliant authorization server. In return, the OAuth 2.0 compliant authorization server provides it with client_id and client_secret.
Here are a few concepts to remember if you are new to this topic:
- OAuth 2.0: — OAuth 2.0 is defined as the standard for access delegation, commonly used by users for granting permissions to third party applications without giving them their credentials.
- OAuth 2.0 Compliant Server: — OAuth 2.0 server supporting client credentials grant_flow.
- Access token: Atoken that contains information related to the privileges of the given service.
- Grant types: They are the methods through which you can provide limited access to your resources, without revealing the user’s credentials.
Lets examine client credentials flow with the help of an example: A video streaming website.
Suppose a user tries to play a video on this website. This action takes the call to service, which takes care of the user’s action. This in turn can call the video streaming service.
This decides whether the user has the proper permissions needed to play this video or not, as our website has two types of users — premium and free.
In this example, the user-service is calling the video streaming service on behalf of the user itself.
Let us look at when to use Client credentials flow and understand how it works in OAUTH 2.0. Before doing that, it would be a good idea to understand the concept of OAUTH 2.0 properly. You can read more about it here: https://oauth.net/2/
When to Use Client Credentials Flow?
Client credentials grant_flow is used when a client is acting on its behalf, rather than the user. It involves authorizing the other services to access the resources of the resource server.
How Does Client Credentials Flow Work?
The working of the client credentials flow in OAUTH 2.0 involves 4 steps:
- Firstly, the client registers itself on the OAuth 2.0 Compliant Authorization Server using its registration endpoint. While registering, we must provide the grant_type as client_credentials.
- After a successful registration, the client gets its client_id and client_secret from the authorization server.
- Next, the client requests the access_token from the authorization server using its client_id and client_secret. During this process, the client requests for certain scopes from the authorization server (i.e. the OAuth 2.0 compliant authorization server).
If the client_id and client_secret provided by the client are correct, the authorization server provides the access_token to the client with the scopes embedded within the access_token.
- Lastly, using this access_token, the client can access your resource server. This will provide restrictions based on the scopes that the client has requested from the authorization server.
This is how the client_credentials flow in an OAuth 2.0 compliant authorization server works.
We hope this blog helps you get clarity on what exactly is the client_credentials grant_flow in an OAuth 2.0 compliant authorization server.
Author — Shobhit Singhal, DLT Labs™
About the Author: Shobhit is a Node.js developer at DLT Labs, currently exploring and gaining knowledge about OpenID Connect and OAuth 2.0 standards.