Step-by-Step Workflow of the Client Credentials Grant

The client credentials grant workflow relies on the client being able to properly authenticate with the authorization server and the client’s authentication credentials remaining confidential.

When using the client credentials grant workflow, only the client details are used for authentication and there is no resource owner.

Workflow of the Client Credentials Grant

  1. Request an access token: The client credentials are exchanged for an access token. The client application makes a request to the authorization server, including the HTTP basic authentication header and optionally a client assertion. The client application can use an already-generated client assertion or build a new assertion. The client assertion is a standard JSON web token (JWT), to be signed by a trusted or confidential client using its private key. Verify that the following claims are part of the client assertion:

    "alg": "RS256", 
    "typ": "JWT", 
    "x5t": "<X5t of the certificate>"
    "exp": <Expiry Time in seconds>, 
    "sub": "<clientId>", 
    "aud": [ "" ], 
    "iss": "<clientId>", 
    "oracle.oauth.sub.id_type": "ClientID",
    "prn": "<clientId>", 
    "jti": "<Globally Unique Id representing the token>", 
    "iat": <Issued at Time in seconds>, 
    "": "<tenantname>", 
    "oracle.oauth.prn.id_type": "ClientID"

    Obtain an access token by using different scenarios in the client credentials workflow:

  2. Receive an access token from the authorization server: The authorization server authenticates the client based on the authorization header or assertion sent and makes a response. If the client is authenticated and the parameters supplied are valid, then the client gets an access token as the response. This is described in Successful Authorization

    If the authorization request fails for any reason, then the authorization server returns a response containing information about the error. This is described in Authorization Error

  3. Use the access token to make a service request: The OAuth client makes a REST API call to the resource server using the access token to access the protected resource.

  4. Send a response: The OAuth resource server sends a response to the service request.

  5. Grant access to the resource: The client (enduser) or service gets access to the protected resource.