PingOne Advanced Identity Cloud

Client credentials grant

The client credentials grant is intended for clients who are also resource owners that need to access their own data rather than acting on behalf of a user.

For example, an application that needs access to a protected resource to update its configuration might use the client credentials grant to get an access token.

The client credentials grant flow supports confidential clients only.

The client credentials grant flow

OAuth 2.0 client credentials grant flow
Figure 1. OAuth 2.0 client credentials grant flow
  1. The client sends its credentials to the authorization server to get authenticated and requests an access token.

  2. If the client credentials are valid, the authorization server returns an access token to the client.

  3. The client requests access to the protected resource from the resource server.

  4. The resource server contacts the authorization server to validate the access token.

  5. The authorization server validates the token and responds to the resource server.

  6. If the token is valid, the resource server allows the client to access the protected resource.

Demonstrate the client credentials grant flow

Perform these steps to get an access token:

Prepare the demonstration

Complete these steps to prepare the client credentials grant flow demonstration:

  1. Create an application owner profile and record the username and password.

  2. Register a client application.

    1. In the Advanced Identity Cloud admin UI, go to Applications and select + Custom Application.

    2. Select the sign-in method as OIDC - OpenId Connect and application type as Web.

    3. Create the application, providing the following details:

      Name

      myClient

      Owners

      <application-owner>

      Client ID

      myClient

      Client Secret

      forgerock

    4. Switch to the Sign On tab and under General Settings, update these fields to have the following values:

      Sign-in URLs

      https://www.example.com:443/callback

      Scopes

      write

    5. Ensure Grant Types contains Client Credentials.

    6. Save your changes.

  3. Create a resource owner profile and record the username and password.

  4. Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Advanced and ensure the Grant Types field includes Client Credentials.

Get an access token using the client credentials grant

As the client, call /oauth2/access_token specifying the client’s credentials, and grant_type=client_credentials.

For example:

$ curl
--request POST \
--user '<client-id>:<client-secret>' \
--data "grant_type=client_credentials" \
--data "scope=write" \
"https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/access_token"

The scope parameter is optional if default values are configured in the authorization server or the client.

PingOne Advanced Identity Cloud returns an access token, for example:

{
  "access_token": "<access-token>",
  "scope": "write",
  "token_type": "Bearer",
  "expires_in": 3599
}