Client Credentials Grant

Jakub Jirutka edited this page Oct 23, 2015 · 3 revisions

The client presents its own credentials to the OAAS in order to obtain an access token. This token is either associated with the client’s own resources, and not a particular resource owner (i.e. user), or is associated with a user for whom the client is otherwise authorized to act.

Obtain an Access Token

Since the client authentication is used as the authorization grant, no additional authorization request is needed and the client can directly request an access token. This request is an HTTPS post and includes the following parameters:

Field Description
grant_type A value of client_credentials must be used.
scope (Optional) A space delimited set of scopes the client requests. It might be all scopes registered for the client on OAAS or just a subset of them. If not provided then all registered scopes will be issued.
client_id The client authentication, required only when Authorization header is not used.
client_secret The client authentication, required only when Authorization header is not used.

The actual request might look like:

POST /oauth/token HTTP/1.1
Host: oaas.example.org
Authorization: Basic c2ltcGxlLWNsaWVudDp0b3Atc2VjcmV0
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=urn:zuul:oauth:sample.read
curl --data "grant_type=client_credentials&scope=urn:zuul:oauth:sample.read" --user simple-client:top-secret https://oaas.example.org/oauth/token

Where c2ltcGxlLWNsaWVudDp0b3Atc2VjcmV0 is simple-client:top-secret in Base64 (i.e. client_id:client_secret).

A successful response to this request contains the following fields:

Field Description
access_token The token that can be used to access resources on a resource provider.
expires_in The remaining lifetime of the access token, in seconds.
scope A space delimited set of scopes the token was issued for.
token_type At this time, this field will always have the value bearer.

and is similar to the following:

{
    "access_token": "3f801c23-2442-4ffe-aece-9bfc778c1ca2",
    "token_type": "bearer",
    "expires_in": 3600,
    "scope": "urn:zuul:oauth:sample.read"
}
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.