OAuth 2.0 Client Credentials Grant Flow

Posted on In

OAuth 2.0 Client Credentials Grant Flow is a protocol that allows applications to obtain an access token to access protected resources on behalf of themselves, rather than on behalf of a user. This flow is typically used for server-to-server communication, where the application needs to authenticate itself to access resources.

Flow Overview

Actors:

  • Client: The application that wants to access the protected resource.
  • Authorization Server: The server that issues access tokens to the client after successfully authenticating it.
  • Resource Server: The server that hosts the protected resources and validates the access token.

OAuth Flow:

  1. The client authenticates itself with the authorization server using its client credentials (client ID and client secret).
  2. The authorization server validates the client’s credentials and, if valid, issues an access token to the client.
  3. The client uses the access token to access the protected resource on the resource server.
  4. The resource server validates the access token and, if valid, allows the client to access the requested resource.

Example Authentication Request from client to authorization server:

1
2
3
4
POST /token HTTP/1.1
Host: authorization-server.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=app.read

Example Response from authorization server to client:

1
2
3
4
5
6
7
8
HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token": "ACCESS_TOKEN_VALUE",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "app.read"
}

Example Resource Request from client to resource server:

1
2
3
GET /path/to/protected-resource HTTP/1.1
Host: resource-server.com
Authorization: Bearer ACCESS_TOKEN_VALUE

Example Response from resource server to client:

1
2
3
4
5
HTTP/1.1 200 OK
Content-Type: application/json
{
  "data": "Protected resource data"
}