OAuth client credentials flow is a grant type in the OAuth2 protocol that allows a client to request an access token directly, without the need for an end-user to authorize the request. This grant type is typically used when the client is acting on its own behalf, rather than on behalf of an end-user.

In this flow, the client sends a request to the authorization server’s token endpoint, including its client id and client secret. If the client credentials are valid, the authorization server issues an access token. The client can then use the access token to authenticate API requests.

Here is an example of how the client credentials flow works:

  1. The client sends a request to the authorization server’s token endpoint, including its client id and client secret.
  2. The authorization server authenticates the client and checks that it has permission to use the client credentials grant type.
  3. If the client is authenticated and authorized, the authorization server issues an access token and returns it to the client.
  4. The client can then use the access token to authenticate API requests.

One advantage of the client credentials flow is that it is relatively simple and easy to implement. However, it is important to note that this grant type does not provide any access to end-user resources. It is intended for use cases where the client is acting on its own behalf, rather than on behalf of an end-user.

example of the request that the client would send to the authorization server’s token endpoint in the client credentials flow:

POST /token HTTP/1.1
Host: authorization-server.com
Content-Type: application/x-www-form-urlencodedgrant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET

In this request:

  • grant_type is set to client_credentials to indicate that the client is using the client credentials grant type.
  • client_id is the client’s id.
  • client_secret is the client’s secret.

The authorization server will use the client id and client secret to authenticate the client and check that it has permission to use the client credentials grant type. If the client is authenticated and authorized, the authorization server will issue an access token and return it to the client in the response.

Here is an example of the response that the authorization server might send:

HTTP/1.1 200 OK
Content-Type: application/json{
“access_token”: “ACCESS_TOKEN”,
“token_type”: “Bearer”,
“expires_in”: 3600
}

In this response:

  • access_token is the access token that the client can use to authenticate API requests.
  • token_type is the type of the access token. In this example, it is a “Bearer” token, which means that it can be included in the Authorization header of API requests.
  • expires_in is the number of seconds until the access token expires.

 

Reference:

https://oauth.net/2/grant-types/client-credentials/