Software AG Products 10.11 | Administering Integration Server | Configuring OAuth | Authorization Grant Types Supported by Integration Server | Client Credentials Grant
 
Client Credentials Grant
The client credentials grant is used to authenticate and provide access to clients that have credentials on the authorization server. The client credentials grant allows the client to use their credentials to obtain an access token that can the be used to access resources. The client credentials grant is often used to access resources that are already under the control of the client, or when the resource owner trusts the client to access its resources, or for machine-to-machine interactions. An example of machine-to-machine interaction might be a background process that runs on the resource owner’s device and the background process needs access to resources protected by OAuth.
Unlike the authorization code grant type, a client using the client credentials grant does not need resource owner approval before obtaining an access token, nor does the client need a redirection endpoint. Instead, the client presents credentials directly to the token endpoint and requests an access token. The token endpoint authenticates the credentials and issues an access token. The token endpoint does not issue a refresh token as refresh tokens are not supported by the client credentials grant.
The client credentials grant type is less secure than the authorization code grant type.
A client that uses the client credentials grant must have credentials on the authorization server which means the client must be a confidential client. When you create a client that will use the client credentials grant, you must give the client permission to access the resources it needs. This is different than the other grant types where Integration Server knows the resource owner because the resource owner either provided its credentials when approving the request (authorization code and implicit grants) or the client supplies the resource owner’s credentials (ROPC grant) With the client credentials grant, Integration Server does not know the owner because the client does not need resource owner approval. Consequently, it is the client who must have permission to access the resources. You must add the client to one or more user groups that have the access permissions that the client needs.
Client Credentials Grant Flow
Activity flow for client credentials grant type
The following table describes each step in the client credentials grant flow.
Stage
Description
1
The client application initiates the process by presenting its credentials to the token endpoint, the pub.oauth:getToken service, on the authorization server.
2
On the authorization server, the pub.oauth:getToken service authenticates the client and verifies that the credentials belong to a confidential client allowed to use the client credentials grant. The service also checks that the scopes specified with the client request are allowed for the client. The authorization sever returns an access token to the client.
Note:
A refresh token is not returned for a client credentials grant.
3
The client application uses the access token to request a resource o the resource server.
4
The resource server checks with authorization server to make sure the access token is valid. If it is, the resource server checks that the requested resource is within the scope for which the access token was issued.