Client Credentials Flow

This section explains about securing APIs and the Data accessed using the Service Layer and also how to establish an oAuth 2.0 delegation model.

We are currently using Client Credential Grant Flow between OIPA trusted components (OIPA, CYCLE, SERVICE LAYER, ADMIN CONSOLE, ODS).

Client Credential Grant Flow

Machine-2-Machine Interaction, where client is an application authenticating against another application. This is the simplest flow, where client credentials (CLIENT_ID and CLIENT_SECRET) is exchanged in lieu of an access token. In this use case CLIENT (an application) accessing Service Layer API (Resource) from a Service Layer application (Resource Server) authenticating and authorizing against an Identity Provider (Authorization Server). In this scenario a resource owner (a User) is not involved.

USAGE:

Use this grant type when authorization scope is limited to the protected resources under the control of the client or to protected resources registered with the OAuth Authorization Server.

Environment Details

The environment details required to access the Admin Console is given below:

  • IDCS: IDP URL - https://hostName/ui/v1/adminconsole
  • UserName/Password: Create an account in IDCS environment
  1. Enter the URL https://hostName/ui/v1/adminconsole.
  2. Enter the User Name and Password and click Sign In.

    3. The IDCS Homepage appears.

  3. Click Application module, then the Application screen appears.
  4. Click Add option.

    5. The Add Application screen appears.

  5. Select the Confidential Application option.

    6. The Add Confidential Application screen appears.

  6. In the Details screen, enter the name and description for the application in Name, Description text box respectively.

  7. Click Next option.
  8. In the Client screen, select Configure the application as a client now option.

  9. In the Authorization section, select Client Credentials in the Allowed Grant Types option and select Introspect in the Allowed Operations option.

  10. Click Next option, the Resources screen appears.

  11. Select Configure this application as a resource server now in the Resources screen and enter the following information:

    1. In the Primary Audience section, enter the URL in the format http://{hostname}:{portnumber}/PASService/rest/services/ for example http://localhost:8080/PASService/rest/services/
    2. In the Secondary Audience section > Scopes > click Add option, the Add Scope dialog box appears.

    3. Click Add option, the Resources screen appears.
  12. Click Next option, the Web Tier Policy screen appears, by default the Skip for later option is selected.

  13. Click Next option. The Authorization screen appears.

  14. Click Finish option. The Application Added dialog box appears. Note the Client ID and Client Secret generated.

  15. Click Close option. The Application will be activated by now.

  16. Go to the Configuration tab, from the Token Issuance policy section, click Add Scope option. The Select Scope dialog box appears and then select the Service Layer DEV application.

  17. Click Add option, the Configuration tab appears.
  18. Click Save option, to save the settings.

The Service Layer DEVapplication is registered with IDCS. Use that token to access the resource APIs.

Request for access token:

  • Method Type: POST
  • Request URI: http://{hostname}:{portnumber}/PASService/rest/oauth2/token
  • Content-Type: application/x-www-form-urlencoded

Request body consists of the following details:

  • grant_type: client_credentials.
  • scope: policies or policies clients or all (based on requirement).
  • CLIENT_ID: CLIENT ID generated after registering an application in IDCS console.
  • CLIENT_SECRET: CLIENT SECRET generated after registering an application in IDCS console.

"access_token" that is returned in response, is sent in the request headers while accessing resource APIs.