OAuth2 Client Credentials Flow

Grant Type - Client Credentials is used when the application needs an access token to:

  • Act on behalf of themselves (so not a user)
  • AKA Service to Service

Grant Type - Client Credentials

  1. Do a POST request to https://authorisation-service.local/token including your client_id and client_secret
1
2
3
4
5
6
POST https://authorisation-service.local/token

grant_type=client_credentials
&client_id=dd938314e8e1
&client_secret=20166c44bc7e
&scope=foo
  1. The response could look like
1
2
3
4
5
6
7
{
"token_type": "Bearer",
"expires_in": 86400,
"access_token": "eaabf941fbd1",
"scope": "foo",
"refresh_token": "2501d78c0345"
}
  1. Resource requests then need to include the token_type and access_token in the authorisation header. Note the American spelling with a z.
1
'Authorization':'Bearer eaabf941fbd1'

References