1. Administering Oracle Cloud Identity Management
  2. Securing Authorizations in Oracle Cloud
  3. Using REST API Calls for the Client Credentials Grant
  4. Obtaining an Access Token by Using a Client Authorization Header

Obtaining an Access Token by Using a Client Authorization Header

The client credentials workflow allows the client application to obtain an access token by using the basic authorization header.

In Oracle Cloud, all OAuth clients are confidential by default and so their credentials (client_id and password) are never exposed. The client_id and password credentials are encoded and sent in the basic authorization header. The format used to obtain the header value is base64encoded(client_id:password).

Parameters used in the access token request:

  • X-USER-IDENTITY-DOMAIN-NAME: The name of the identity domain.

  • Authorization: Basic: The basic authorization header. The client identifier and client secret of the client application are base64–encoded and sent in the header. For example, the authorization header has the value of base64encoded(client_id:password).

  • Content-Type: The type of content that’s sent in the request. It is a URL-encoded application.

  • Request: The type of request that’s sent. In the example that follows, a POST request is used to obtain an access token. This is followed by the authorization server URL, which provides tokens.

  • grant_type: The grant type used to obtain the token. In the example that follows, the grant type is client credentials. The value of client_credentials is given for this grant type.

  • scope: The limit of a particular scope for an access token.

The client identifier and password are encoded and sent in the basic authorization header. This is sent to obtain an access token.

To obtain an access token by providing the client credentials, use the following cURL command : 

curl -i -H 'X-USER-IDENTITY-DOMAIN-NAME: OAuthTestTenant125' 
-H 'Authorization: Basic MzAzYTI0OTItZDY0Zi00ZTA0LWI3OGYtYjQzMzAwNDczMTJiOll5Sk5NSkdFc0ZqUkxWZVZsdVMz' 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<idm-domain>.identity.<data-center>.oraclecloud.com/oauth/tokens 
-d 'grant_type=client_credentials
&scope=http://www.example.com'
The output of the cURL command is:
{
"expires_in":3600,
"token_type":"Bearer",
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6Ild3cmVwdTJkYXNhSXBHUi1BbFZwSGtVQjZKZyIsImtp
ZCI6Ik9BdXRoVGVzdFRlbmFudDEyNS5jZXJ0In0.eyJzdWIiOiIzMDNhMjQ5Mi1kNjRmLTRlMDQtYjc4Zi1iNDMzMDA0NzMxMmIiLCJp
c3MiOiJPQXV0aFRlc3RUZW5hbnQxMjUiLCJvcmFjbGUub2F1dGguc3ZjX3BfbiI6Ik9BdXRoVGVzdFRlbmFudDEyNVNlcnZpY2VQcm9m
aWxlIiwiaWF0IjoxNDI1NDIyMDk0MDAwLCJvcmFjbGUub2F1dGgucHJuLmlkX3R5cGUiOiJDbGllbnRJRCIsImV4cCI6MTQyNTQyNTY5
NDAwMCwib3JhY2xlLm9hdXRoLnRrX2NvbnRleHQiOiJyZXNvdXJjZV9hY2Nlc3NfdGsiLCJhdWQiOlsiaHR0cDovL3d3dy5leGFtcGxl
LmNvbSJdLCJwcm4iOiIzMDNhMjQ5Mi1kNjRmLTRlMDQtYjc4Zi1iNDMzMDA0NzMxMmIiLCJqdGkiOiJlODE0NjgyOC1kNWIyLTQxNjkt
ODU3Ny03MTJmODM2YjcyNDEiLCJvcmFjbGUub2F1dGguY2xpZW50X29yaWdpbl9pZCI6IjMwM2EyNDkyLWQ2NGYtNGUwNC1iNzhmLWI0
MzMwMDQ3MzEyYiIsIm9yYWNsZS5vYXV0aC5zY29wZSI6Imh0dHA6Ly93d3cuZXhhbXBsZS5jb20iLCJ1c2VyLnRlbmFudC5uYW1lIjoi
T0F1dGhUZXN0VGVuYW50MTI1Iiwib3JhY2xlLm9hdXRoLmlkX2RfaWQiOiIxMzQ2MzY3NTEzODMwMjU2NiJ9.hM6nwuhj8h7L7vK6ozc
mm-xcyVoFbCkLln8oZZPPlIpf7o-Bahj3J5vcgqTuBl89pVGR-ly6m2AH-v0yOdWD2Qfo8pnU14B3o01Z7U_vkxu_pc_3qz5P5Jk0rDm
xNT3iVeNK2rht41aXdQBiXJkGOAkUXpI6_MzK5kkY0zHm7PnybkipTfmUy8jEyRhwYvBGFsWvTGp5nIUP6zrmTfxAb2q-hgFFV1HIGqm
7uGXZA1c7svXttkwEuajV3bWkaaFUe8YGuiokR-nraoOvs18WpY08eSoiBPu8eTdp_ff6WWpjmMRe4YHvYNWmkbVxP3XD1sRtClLsgb6
eSqVwIK4HFQ"
}

The JSON web token (JWT) obtained can be decoded and the claims in the access token can be viewed as follows:

Access token:
{
 alg: "RS256",
 typ: "JWT",
 x5t: "Wwrepu2dasaIpGR-AlVpHkUB6Jg",
 kid: "OAuthTestTenant125.cert"
}.
{
 sub: "303a2492-d64f-4e04-b78f-b4330047312b",
 iss: "OAuthTestTenant125",
 oracle.oauth.svc_p_n: "OAuthTestTenant125ServiceProfile",
 iat: 1425422094000,
 oracle.oauth.prn.id_type: "ClientID",
 exp: 1425425694000,
 oracle.oauth.tk_context: "resource_access_tk",
 aud: [
  "http://www.example.com"
 ],
 prn: "303a2492-d64f-4e04-b78f-b4330047312b",
 jti: "e8146828-d5b2-4169-8577-712f836b7241",
 oracle.oauth.client_origin_id: "303a2492-d64f-4e04-b78f-b4330047312b",
 oracle.oauth.scope: "http://www.example.com",
 user.tenant.name: "OAuthTestTenant125",
 oracle.oauth.id_d_id: "13463675138302566"
}.
[signature]

Audience and scope claims in the output:

The audience claim in an access token always contains the API path of the resource. The oracle.oauth.scope claim contains the valid API path with the scope in the response. In the prior example, the incoming request has a scope of http://www.example.com. The client audience configuration also has a value of http://www.example.com. The OAuth token service validates the incoming request scope with the value found in the client audience configuration. Because this is a valid request, the OAuth token service sends a valid access token in the response. In this case, the audience claim and the scope have the same value of http://www.example.com.