Identification, Authentication and Authorization

Client credentials flow

Requirements

  • Confidential application types.

  • Secure storage for tokens, ClientID and ClientSecret.

Setup

  • Client registration in the OAuth server.

    • A client receives ClientID and ClientSecret.

    • Not regulated by OAuth.

Limitation

  • No resource owner authentications or authorizations.

Resource owner uses a server-based Web App

  • The client.

The client uses the resource server API to get a resource

  • The resource server requests a token.

The client gets an access token from the OAuth server

  • Using its credentials (to have access permission).

The client uses again the resource server API to get a resource

  • This time providing an access token.

PreviousResource owner password flowNextProof Key for Code Exchange (PKCE, RFC 7636)

Last updated