Client Credentials Grant

The Client Credentials grant is used when the client is also the resource owner and it is accessing its own data instead of acting in behalf of a user. For example, an application that needs access to a protected resource to retrieve its own data to perform a task, or update its configuration, would use the Client Credentials grant to acquire an access token.

The Client Credentials Grant flow supports confidential clients only.

OAuth 2.0 Client Credentials Grant Flow
OAuth 2.0 Client Credentials Grant flow

The steps in the diagram are described below:

  1. The client sends its credentials to the authorization server to get authenticated, and requests an access token.

  2. If the client credentials are valid, the authorization server returns an access token to the client.

  3. The client requests access to the protected resources from the resource server.

  4. The resource server contacts the authorization server to validate the access token.

  5. The authorization server validates the token and responds to the resource server.

  6. If the token is valid, the resource server allows the client to access the protected resources.

Perform the steps in the following procedure to obtain an access token:

To Obtain an Access Token Using the Client Credentials Grant

This procedure assumes the following configuration:

  • AM is configured as an OAuth 2.0 authorization server. Ensure that:

    • The token Response Type Plugin is configured.

    • The Client Credentials Supported Grant Type is configured.

    For more information, see Authorization Server Configuration.

  • A confidential client called myClient is registered in AM with the following configuration:

    • Client secret: forgerock

    • Scopes: write

    • Response Types: token

    • Grant Types: Client Credentials

For more information, see Client Registration.

Perform the steps in this procedure to obtain an access token using the Client Credentials grant:

  • The client makes a POST call to the authorization server's token endpoint specifying, at least, the following parameters:

    • grant_type=client_credentials

    For information about the parameters supported by the /oauth2/access_token endpoint, see "/oauth2/access_token".

    Confidential clients can authenticate to the OAuth 2.0 endpoints in several ways. This example uses the following form parameters:

    • client_id=your_client_id

    • client_secret=your_client_secret

    For more information, see OAuth 2.0 Client Authentication.

    If the OAuth 2.0 provider is configured for a subrealm rather than the Top Level Realm, you must specify it in the endpoint. For example, if the OAuth 2.0 provider is configured for the /customers realm, use /oauth2/realms/root/realms/customers/access_token.

    For example:

    $ curl --request POST \
    --data "grant_type=client_credentials" \
    --data "client_id=myClient" \
    --data "client_secret=forgerock" \
    --data "scope=write" \
    "https://openam.example.com:8443/openam/oauth2/realms/root/access_token"

    Note that the scope parameter has been included. Scopes are not required, since they can be configured by default in the authorization server and the client, and have been added only as an example.

    The authorization server returns an access token in the access_token property. For example:

    {
      "access_token": "sbQZuveFumUDV5R1vVBl6QAGNB8",
      "scope": "write",
      "token_type": "Bearer",
      "expires_in": 3599
    }
Read a different version of :