Overview#
Client Credentials Grant (CCG) (or other forms of client authentication) can be used as an Authorization Grant when the authorization scope is limited to the protected resources under the control of the OAuth Client, or to protected resources previously arranged with the Authorization Server.Client Credentials Grant or (Client Credentials Flow] is a server to server flow. There is no user authentication involved in the process. In fact there is no user at all, the resulting Access_tokens will not contain a user, but will instead contain the Client_id as subject (if not configured otherwise).
This flow is useful for systems that need to perform API operations when no user is present. It can be nightly operations, or other that involve contacting OAuth protected APIs.
Since there is no user authorization, the flow only interacts with the Token endpoint.
OAuth Client credentials are used as an Authorization Grant typically when the client is acting on its own behalf (the client is also the Resource Owner) or is requesting access to protected resources based on an authorization previously arranged with the Authorization Server.
Client Credentials Grant has no Refresh_token is issued. The client can make the same call again to obtain a new access token.
The Authorization Request Parameters are done in a HTTP POST to the Token Endpoint
More Information#
There might be more information for this subject on one of the following:- Authorization API
- CCG
- Federated Authorization for UMA 2.0
- Grant Types
- Grant_type
- OAuth 2.0 Use Cases
- OAuth 2.0 Vulnerabilities
- Protection API
- Refresh Token
- [#1] - RFC 6749 Client Credentials
- based on data observed:2015-05-18
- [#2] - !!! OAuth Client Credentials Flow - based on information obtained 2022-02-15