Client Credentials Grant Workflow
Use the client credentials grant when the client itself owns the data and doesn’t need delegated access from a resource owner, or the delegated access has already been granted to the application outside of a typical OAuth workflow.
The client credentials grant provides a specific grant flow in which the resource owner (that is, the user) is not involved. When using this grant, the client application requests an access token only with its own credentials (the identifier and secret) or an assertion, and uses the access token on behalf of the client application itself. This grant flow is best-suited when a service provider wants to provide some API methods that are to be used by the client application in general, instead of methods that apply to a certain resource owner, for example, API methods for maintenance. This way of using an API is also referred to as userless access.
Security Properties
Depending on the use case for which you want to use the client credentials grant flow, a single set of credentials for a client could provide access to a large amount of data. The more data a single set of credentials has access to, the greater the risk if the credentials become compromised. It’s critical that the credentials used to authenticate the client are kept confidential. Ideally, these credentials would also be rotated regularly.
Key Characteristics of the Client Credentials Grant Type
-
It’s used by confidential clients.
-
The flow is not redirection-based.
-
It’s useful in cases where the client application communicates with the service provider directly and not on behalf of a resource owner.
-
The resource owner isn’t part of the flow.