Get Tokens: Client Credentials Grant Type
The client credentials type works in a similar way to the ROPC grant type and is used to provide an access token to a client based on the credentials or the client, not the resource owner. In this grant type, the client credentials are swapped for an access token (step 1 below).
| Capability | |
|---|---|
Browser-based end user interaction |
No |
Can use external IDP for authentication |
No |
Requires client authentication |
Yes |
Requires client to have knowledge of user credentials |
No |
Refresh token allowed |
No |
Access token is in context of end user |
No |
Sample Client Configuration
For the client credentials example below, the following client information will be used:
| Admin Label | OAuth2 Parameter | Example Value |
|---|---|---|
Client ID |
client_id |
cc_client |
Client Authentication |
client_secret |
2Federate |
Allowed Grant Types |
grant_type |
grant_type of "client_credentials" |
Scope Settings |
scope |
edit |
Getting the Token
The client makes a request (HTTP POST) to the token endpoint with the client credentials presented as HTTP Basic authentication:
POST https://localhost:9031/as/token.oauth2 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Authorization: Basic Y2NfY2xpZW50OjJGZWRlcmF0ZQ== grant_type=client_credentials &scope=edit
| The client credentials can also be provided using the client_id and client_secret parameters in the contents of the POST. |
The client will receive a response to this request. If successful, a 200 OK response will be received and the access token will be returned in a JSON structure. A refresh token will NOT be returned to the client.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"access_token":"zzz...yyy",
"token_type":"Bearer",
"expires_in":14400,
}