Take a auth-shot – Client Credentials Grant
In OAuth2, access to resources is secured with access tokens. The access token is used to authorize a client for access. To get the access token, grant types have been specified in OAuth2.
Anyone who answers the question “Does our application have user interaction?” – from our last blog (“A grant for all cases“) with a “No”, i.e., who uses an application such as a backend service, can retrieve the access token using the client credentials grant type and thus secure access to resources.
These types of applications are also referred to as Confidential Clients in the context of OAuth2. In contrast to public clients, confidential clients can keep a secret (client-secret) securely, i.e. store and process it. This feature makes the token creation process much easier. In simple terms, client-id and client-secret are used as username & password combination.
The client activates the token endpoint of the authorization server and transfers his client id and client secret. The authorization server checks the client credentials and responds with a token response that contains, among other things, the access token.
We have enclosed the Client Credentials Grant with all roles, i.e. client, authorization server (cidaas) and resource server, in a flowchart.
In our next blog in the take a auth-shot series, we will take a look at the PKCE Grant and what use cases it was designed for.
Our first blog of the take an auth-shot blog series – “One Grant for All Cases?” – can be found here.
The third part of our take a auth-shot blog series – “PKCE Grant” – can be found here.