OAuth 2.0 has a flow called Client Credentials that is useful when there are requests to APIs that don't involve the user. The client credentials flow allows the server to communicate with her API without changing the API itself.
For machine-to-machine (M2M) applications such as CLIs, daemons, and services running in the backend, the system authenticates and authorizes apps instead of users. Common authentication methods such as username + password or social login don't make sense in this scenario. Instead, M2M apps use the client credentials flow (defined in OAuth 2.0 RFC 6749 section 4.4), passing a client ID and client secret to authenticate and receive a token.
What is the Client Credentials Grant Flow?
Client credential grants are used when two servers need to communicate with each other outside of the user's context. This is a very common scenario that is often overlooked in online tutorials and documentation. In contrast, the authorization code grant type is often used when applications need to authenticate users and obtain authorization tokens. A JWT typically represents a user's identity within an application and defines the resources and actions that the user can access. can be run by the user.
Don't forget to check out: Understanding Web Server Authentication Flow | Web App Integration
Goal of Client Credentials Grant Flow
The purpose of granting OAuth 2.0 client credentials is to allow two automated services to interact securely. This is primarily done by replacing the old HTTP Basic scheme with a token-based authentication scheme. This greatly reduces the number of requests exposing sensitive credentials.
How It Works:
- Your application uses a client ID and client secret (/oauth/tokenendpoint) to authenticate to the Auth0 authorization server.
- Auth0 authorization server verifies the client ID and client secret.
- Auth0 authorization server responds with an access token.
- Applications can call APIs themselves using an access token.
- API responds with requested data.
Check out another amazing blog by Mohit here: User Agent Flow in Salesforce | The Developer Guide
- Clients make a POST request to the OAuth server
- The OAuth server immediately issues an access token and responds to the client.