Use Case Scenario
This scenario demonstrates the following use case:
- A client registers itself through dynamic client registration
- A client requests an access token with a client credentials grant
This scenario demonstrates the following use case:
Dynamic Client Registration Request
POST https://oidc.airlock.com/auth-login/rest/public/tech-client-registration/oauth2/myAS/register { "client_name": "Sample Client", "client_uri": "https://test-client.airlock.com", "scope": "strong client-scope", "token_endpoint_auth_method": "client_secret_basic", "redirect_uris": [ "https://sample-client.airlock.com/redirectUri" ], "response_types": [ "code" ], "grant_types": [ "authorization_code", "refresh_token" ], "contacts": [ "Peter Sample" ] }
This request will receive the following response. The following elements in the response are noteworthy:
Code Block Dynamic Client Registration Response
200 OK { "scope": "client-scope", "contacts": [ "Peter Sample" ], "client_id": "5572a786-010e-48a3-8c87-0d94d263f3b9", "client_secret": "WMKA5QLW5iuFGt5CsePYQBYbuDL8DcCD", "client_secret_expires_at": 0, "client_id_issued_at": 1597332712, "redirect_uris": [ "https://test-client.airlock.com/redirectUri" ], "token_endpoint_auth_method": "client_secret_basic", "grant_types": [ "authorization_code", "refresh_token" ], "response_types": [ "code" ], "client_name": "Sample Client", "client_uri": "https://sample-client.airlock.com" }
The client credentials grant is started as a request on the token endpoint with "grant_type" set to "client_credentials".
For authentication, the client uses basic_auth as defined in the "token_endpoint_auth_method". The credentials used are client_id and client_secret from the dynamic client registration response above.
Client Credentials Grant Request
POST https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/token Content-Type: application/x-www-form-urlencoded Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ grant_type=client_credentials& scope=client-scope
The authorization server successfully validated the credentials provided by the client and responds with an access token:
Client Credentials Grant Response
200 OK { "access_token": "eyJraWQiOiI3...YeQ0iR-25g", "scope": "client-scope", "token_type": "Bearer", "expires_in": 18000 }
Access tokens issued by the client credentials grant are not stored in the IAM database. This implies the following limitations: