OAuth 2.0 Client Credentials Grant Flow

Posted on In

OAuth 2.0 Client Credentials Grant Flow is a protocol that allows applications to obtain an access token to access protected resources on behalf of themselves, rather than on behalf of a user. This flow is typically used for server-to-server communication, where the application needs to authenticate itself to access resources.

Flow Overview

Roles:

  • Client: The application that wants to access the protected resource.
  • Authorization Server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
  • Resource Server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

OAuth Flow:

  1. The client authenticates itself with the authorization server using its client credentials (client ID and client secret).
  2. The authorization server validates the client’s credentials and, if valid, issues an access token to the client.
  3. The client uses the access token to access the protected resource on the resource server.
  4. The resource server validates the access token and, if valid, allows the client to access the requested resource.

Getting an Access Token

To obtain an access token, the client sends a POST request to the authorization server’s token endpoint
with the following parameters:

  • client_id: The client ID issued to the client during the registration process.
  • client_secret: The client secret issued to the client during the registration process.
  • scope: (Optional) A space-separated list of scopes that the client is requesting access to.
  • grant_type: Must be set to client_credentials to indicate that the client is
  • requesting an access token using the client credentials grant type.

Example Authentication Request from client to authorization server:

1
2
3
4
POST /token HTTP/1.1
Host: authorization-server.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=app.read

Curl Command to obtain an access token:

1
2
3
curl -X POST "https://authorization-server.com/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=app.read"

Example Response from authorization server to client:

1
2
3
4
5
6
7
8
HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token": "ACCESS_TOKEN_VALUE",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "app.read"
}

Accessing Protected Resources

Once the client has obtained an access token, it can use it to access protected resources on the resource server. The client includes the access token in the Authorization header of the HTTP request to the resource server.

Example Resource Request from client to resource server:

1
2
3
GET /path/to/protected-resource HTTP/1.1
Host: resource-server.com
Authorization: Bearer ACCESS_TOKEN_VALUE

Curl Command to access protected resource:

1
2
curl -X GET "https://resource-server.com/path/to/protected-resource" \
     -H "Authorization: Bearer ACCESS_TOKEN_VALUE"

Example Response from resource server to client:

1
2
3
4
5
HTTP/1.1 200 OK
Content-Type: application/json
{
  "data": "Protected resource data"
}