Client credential grant example
13.3.2.2. AS-centric AS - client credentials grant usage example

Use Case Scenario

This scenario demonstrates the following use case:

  • A client registers itself through dynamic client registration
  • A client requests an access token with a client credentials grant

Step 1: Dynamic Client Registration

Dynamic Client Registration Request

POST https://oidc.airlock.com/auth-login/rest/public/tech-client-registration/oauth2/myAS/register
 {
    "client_name": "Sample Client", 
    "client_uri": "https://test-client.airlock.com", 
    "scope": "strong client-scope",
    "token_endpoint_auth_method": "client_secret_basic",
    "redirect_uris": [
    "https://sample-client.airlock.com/redirectUri"
    ],
     "response_types": [
         "code"
    ],
    "grant_types": [
    "authorization_code",
    "refresh_token"
    ], 
    "contacts": [ 
        "Peter Sample"
    ]
 }

This request will receive the following response. The following elements in the response are noteworthy:

  • client_id and client_secret are generated by the authorization server.
  • scope is limited by an additional processor to the string client-scope. The scope strong was not accepted by the authorization server and is therefore missing from the response.

Code Block Dynamic Client Registration Response

200 OK
 {
    "scope": "client-scope",
      "contacts": [
        "Peter Sample"
     ],
     "client_id": "5572a786-010e-48a3-8c87-0d94d263f3b9",
     "client_secret": "WMKA5QLW5iuFGt5CsePYQBYbuDL8DcCD",
     "client_secret_expires_at": 0,
     "client_id_issued_at": 1597332712,
     "redirect_uris": [
         "https://test-client.airlock.com/redirectUri"
     ],
     "token_endpoint_auth_method": "client_secret_basic",
    "grant_types": [
          "authorization_code",
         "refresh_token"
     ],
     "response_types": [
         "code"
     ],
     "client_name": "Sample Client",
     "client_uri": "https://sample-client.airlock.com"
 }

Step 2: Client Credentials Grant

The client credentials grant is started as a request on the token endpoint with "grant_type" set to "client_credentials".

For authentication, the client uses basic_auth as defined in the "token_endpoint_auth_method". The credentials used are client_id and client_secret from the dynamic client registration response above.

Client Credentials Grant Request

POST https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/token
 Content-Type: application/x-www-form-urlencoded
 Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ

  grant_type=client_credentials&
 scope=client-scope

The authorization server successfully validated the credentials provided by the client and responds with an access token:

Client Credentials Grant Response

200 OK
 {
     "access_token": "eyJraWQiOiI3...YeQ0iR-25g",
     "scope": "client-scope",
     "token_type": "Bearer",
     "expires_in": 18000
 }

Functional limitations

Access tokens issued by the client credentials grant are not stored in the IAM database. This implies the following limitations:

  • Token refresh is not supported.
  • Token revocation is not supported.
  • Token introspection is not supported.