Client credentials

Used for machine-2-machine

When requesting an access token use grant_type: client_credentials.

HTTP POST is used for the token endpoint.

Example: http://127.0.0.1:8080/oidc/tenant1/token-endpoint

Request parameters

These parameters must be posted as a part of the URL-encoded form values.

Parameter

Description

Mandatory

grant_type

Supported value is client_credentials.

scope

requested scopes (space-separated)

resource

one or more values, each identifying a target API (audience).

Multiple = multiple params, not space-separated.

Using the client_credentials grantRequest parameters

When using the token endpoint with the client_credentials grant (M2M) a couple of things needs to be in place:

In the discovery_meta section on the OIDC module add client_credentials:

"grant_types_supported": [ 
    "authorization_code", 
    "refresh_token", 
    "client_credentials"
],

In the Relying Party configuration add:

"client_credentials_pipe_id": "client_credentials_pipe",

Add corresponding "client_credentials_pipe":

// Example pipe for JWT access token with ttl of 60 minutes
// Note! For access tokens, jwt header 'typ' must be 'at+jwt'
{
    "id": "client_credentials_pipe",
    "config": {
        "valves": [
            {
                "name": "CreateJwt",
                "enabled": true,
                "config": {
                    "dest": "access_token",
                    "jwt_ttl": 60,
                    "jwt_headers": {
                        "typ": "at+jwt"
                    },
                    "jwt_claims": {
                        "client_id": "${request.client_id}",
                        "sub": "${request.client_id}",
                        "iss": "https://op.example.com",
                        "aud": ["https://api.example.com/"],
                        "scope": "${request.scope}"
                    },
                    "keystore": {
                        "path": "/fortified_test/config/keystore.p12",
                        "password": "supersecret",
                        "type": "PKCS12"
                    },
                    "keystore_password": "supersecret",
                    "keystore_alias": "jwt"
                }
            },
            {
                "name": "JsonObjectCreate",
                "enabled": true,
                "config": {
                    "src": {
                        "access_token": "${item.access_token}",
                        "token_type": "Bearer",
                        "expires_in": 3600,
                        "scope": "read"
                    },
                    "dest": "client_credentials"
                }
            }
        ]
    }
}

// Example pipe for opaque access token with ttl of 60 minutes
{
    "id": "client_credentials_pipe",
    "config": {
        "valves": [
            {
                "name": "CreateItem",
                "enabled": true,
                "config": {
                    "id": "temp",
                    "properties": {}
                }
            },
            {
                "name": "JsonObjectCreate",
                "enabled": true,
                "config": {
                    "src": {
                        "access_token": "",
                        "token_type": "Bearer",
                        "expires_in": 3600,
                        "scope": "read"
                    },
                    "dest": "client_credentials"
                }
            }
        ]
    }
}

PreviousRefresh token NextUser info endpoint