OAuth: the Client Credentials Flow

There’s one final flow that we have not covered yet: the Client Credentials flow. This flow is similar to the OAuth1 Two-Legged Flow and is meant to give the authenticating client itself access to resources that it owns. For example, a backend system could use the credentials of the client “mobile_android” to check how many users are accessing the API via this client.

While hybris supports the OAuth2 client credentials flow for the OCC Web Services, we’re currently not making use of it in the default configuration. We have ideas around securing the new customer registration API using the client credentials – you may leave a comment if you want to discuss this.

So let’s first take a look at the OAuth2 spec:

As you can see, it’s pretty simple. Just as the OAuth2 Resource Owner Password Flow┬áthe flow consists of a single request and response. Let’s look at the few parameters that need to be sent to the Authorization Server in the request (A):

  • client_id & client_secret: id and secret need to be passed to the Authorization Server. This can be done either in the POST body of the request, or via a Basic Authorization header. In the code below, I’ll show you both options and our server also understands both of these alternatives.
  • grant_type: in this case, a grant_type of ‘client_credentials’ needs to be used.

The server will respond with a JSON document, but there will be no refresh_token issued typically. The client can use the returned access_token and simply needs to authenticate again once the access_token has expired.

Let’s ┬átake a look from a client perspective, again via sample code written in Groovy and which is part of a little web application for demonstration purposes only:

The JSON document received in this case looks like the following:

With all the infos about the other OAuth2 flows that you should already have (otherwise read a few recent posts…) this should be relatively straightforward. But of course, you can always drop a comment…

One thought on “OAuth: the Client Credentials Flow

  1. Steven Francolla says:

    Thank you for this and the other really great oauth2 flow write-ups. We are going to reference them from our api documentation as alternate references.

Comments are closed.