Topics In Demand
Notification
New

No notification found.

Understanding Client Credentials Flow in OAuth 2.0
Understanding Client Credentials Flow in OAuth 2.0

313

0

Client credentials flow in OAuth 2.0 is generally used for authenticating the service rather than the user. This grant_flow is used for machine-to-machine communication.

In this grant flow, the client registers itself with the OAuth 2.0 compliant authorization server. In return, the OAuth 2.0 compliant authorization server provides it with client_id and client_secret.

Here are a few concepts to remember if you are new to this topic:

  • OAuth 2.0: — OAuth 2.0 is defined as the standard for access delegation, commonly used by users for granting permissions to third-party applications without giving them their credentials.
  • OAuth 2.0 Compliant Server: — OAuth 2.0 server supporting client credentials grant_flow.
  • Access token: A token that contains information related to the privileges of the given service.
  • Grant types: They are the methods through which you can provide limited access to your resources, without revealing the user’s credentials.

Let us examine client credentials flow with the help of an example: A video streaming website.

Suppose a user tries to play a video on this website. This action takes the call to service, which takes care of the user’s action. This in turn can call the video streaming service.

This decides whether the user has the proper permissions needed to play this video or not, as our website has two types of users — premium and free.

In this example, the user service is calling the video streaming service on behalf of the user itself.

Let us look at when to use client credentials flow and understand how it works in OAuth 2.0. Before doing that, it would be a good idea to understand the concept of OAuth 2.0 properly. You can read more about it here: https://oauth.net/2/

When to Use Client Credentials Flow?

Client credentials grant_flow is used when a client is acting on its behalf, rather than the user. It involves authorizing the other services to access the resources of the resource server.

How Does Client Credentials Flow Work?

The working of the client credentials flow in OAuth 2.0 involves 4 steps:

  1. Firstly, the client registers itself on the OAuth 2.0 Compliant Authorization Server using its registration endpoint. While registering, we must provide the grant_type as client_credentials.
  2. After successful registration, the client gets its client_id and client_secret from the authorization server.
  3. Next, the client requests the access_token from the authorization server using its client_id and client_secret. During this process, the client requests certain scopes from the authorization server (i.e. the OAuth 2.0 compliant authorization server).
    If the client_id and client_secret provided by the client are correct, the authorization server provides the access_token to the client with the scopes embedded within the access_token.
  4. Lastly, using this access_token, the client can access your resource server. This will provide restrictions based on the scopes that the client has requested from the authorization server.

This is how the client_credentials flow in an OAuth 2.0 compliant authorization server works.

We hope this blog helps you get clarity on what exactly is the client_credentials grant_flow in an OAuth 2.0 compliant authorization server.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


DLT Labs™ is a global leader in the development and delivery of enterprise blockchain technologies and solutions, as well as a pioneer in the creation and implementation of standards for application development. With a deep track record in innovation and one of the world's largest pools of highly experienced blockchain experts, DLT Labs™ enables the transformation and innovation of complex multi-stakeholder processes.

© Copyright nasscom. All Rights Reserved.