ClientCredentialsOAuth2ClientFilter
Authenticates OAuth 2.0 clients by using the client’s OAuth 2.0 credentials to obtain an access_token from an authorization server, and injecting the access_token into the inbound request as a Bearer Authorization header.
The filter obtains the client’s access_token by using the client_credentials
grant type, where the credentials are sent with the client_secret_basic
method. The filter refreshes the access_token as required.
Use this filter in a service-to-service context, where services need to access resources protected by OAuth 2.0.
Usage
{
"name": string,
"type": "ClientCredentialsOAuth2ClientFilter",
"config": {
"clientId": configuration expression<sting>,
"clientSecretId": configuration expression<secret-id>,
"secretsProvider": SecretsProvider reference,
"tokenEndpoint": configuration expression<url>,
"scopes": [ configuration expression<string>, ... ],
"handler": Handler reference or inline Handler declaration
}
}
Properties
"clientId"
: configuration expression<string>, required-
The ID of the OAuth 2.0 client registered with the authorization server.
"clientSecretId"
: configuration expression<secret-id>, required-
The ID to use when querying the
secretsProvider
for the client secret. "secretsProvider"
: SecretsProvider reference, required-
The SecretsProvider to use to resolve queried secrets, such as passwords and cryptographic keys. Provide either the name of a SecretsProvider object defined in the heap, or specify a SecretsProvider object inline.
"tokenEndpoint"
: configuration expression<url>, required-
The URL to the authorization server’s OAuth 2.0 token endpoint.
"scopes"
: array of configuration expression<string>, optional-
Array of scope strings to request from the authorization server.
Default: Empty, request no scopes.
"handler"
: Handler reference or inline Handler declaration, optional-
The Handler to use to access the authorization server’s OAuth 2.0 token endpoint. Provide either the name of a handler object defined in the heap, or specify a handler object inline.
Default: ClientHandler
Log Level
To facilitate debugging secrets for this filter, in logback.xml
add a
logger defined by the fully qualified package name of the secrets API backend.
The following line in logback.xml
sets the log level to ALL
:
<logger name="org.forgerock.secrets.oauth2" level="ALL">
Examples
For an example, see Access Resources By Using OAuth 2.0 Credentials.