Client Credentials grant usage

Use case scenario

This scenario demonstrates the following use case:

A client registers itself through dynamic client registration.
A client requests an access token with a client credentials grant.

Step 1 – Dynamic client registration

Example

Dynamic client registration request

POST https://oidc.airlock.com/auth-login/rest/public/tech-client-registration/oauth2/myAS/register
 {
    "client_name": "Sample Client", 
    "client_uri": "https://test-client.airlock.com", 
    "scope": "strong client-scope",
    "token_endpoint_auth_method": "client_secret_basic",
    "redirect_uris": [
    "https://sample-client.airlock.com/redirectUri"
    ],
     "response_types": [
         "code"
    ],
    "grant_types": [
    "authorization_code",
    "refresh_token"
    ], 
    "contacts": [ 
        "Peter Sample"
    ]
 }

This request will receive the following response (see the code block below).

The following elements in the response are noteworthy:

client_id and client_secret are generated by the authorization server.
scope is limited by an additional processor to the string client-scope. The scope strong was not accepted by the authorization server and is therefore missing from the response.

Example

Code block dynamic client registration response

200 OK
 {
    "scope": "client-scope",
      "contacts": [
        "Peter Sample"
     ],
     "client_id": "5572a786-010e-48a3-8c87-0d94d263f3b9",
     "client_secret": "WMKA5QLW5iuFGt5CsePYQBYbuDL8DcCD",
     "client_secret_expires_at": 0,
     "client_id_issued_at": 1597332712,
     "redirect_uris": [
         "https://test-client.airlock.com/redirectUri"
     ],
     "token_endpoint_auth_method": "client_secret_basic",
     "grant_types": [
          "authorization_code",
         "refresh_token"
     ],
     "response_types": [
         "code"
     ],
     "client_name": "Sample Client",
     "client_uri": "https://sample-client.airlock.com"
 }

Step 2 – Client Credentials grant

The Client Credentials grant started as a request on the token endpoint with grant_type set to client_credentials.

The client uses basic_auth as defined in the token_endpoint_auth_method for authentication. The credentials used are client_id and client_secret from the dynamic client registration response above.

Example

Client Credentials grant request

POST https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/token
 Content-Type: application/x-www-form-urlencoded
 Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ

 grant_type=client_credentials&
 scope=client-scope

The authorization server successfully validated the client's credentials and responds with an access token:

Example

Client Credentials grant response

200 OK
 {
     "access_token": "eyJraWQiOiI3...YeQ0iR-25g",
     "scope": "client-scope",
     "token_type": "Bearer",
     "expires_in": 18000
 }

Functional limitation

Access tokens issued by the Client Credentials grant are not stored in the IAM database.

This results in the following limitations:

Token refresh is not supported.
Token revocation is not supported.
Token introspection is not supported.

Further information and links

OAuth 2.0 grant types gives general information about OAuth grants and the Client Credentials grant in particular.
Client Credentials grant setup gives an example of a configuration of the Client Credentials grant in a PSD2 setup.