OAuth2 Client Credentials Flow

Grant Type - Client Credentials is used when the application needs an access token to:

• Act on behalf of themselves (so not a user)
• AKA Service to Service

1. Do a POST request to https://authorisation-service.local/token including your client_id and client_secret

POST https://authorisation-service.local/token

grant_type=client_credentials
&client_id=dd938314e8e1
&client_secret=20166c44bc7e
&scope=foo

2. The response could look like

{
  "token_type": "Bearer",
  "expires_in": 86400,
  "access_token": "eaabf941fbd1",
  "scope": "foo",
  "refresh_token": "2501d78c0345"
}

3. Resource requests then need to include the token_type and access_token in the authorisation header. Note the American spelling with a z.

'Authorization':'Bearer eaabf941fbd1'

References

• https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/
• https://aaronparecki.com/oauth-2-simplified/#client-credentials