The client credentials can be used as an authorization grant when the authorization scope is limited to the protected resources under the control of the OAuth client (that is, the client owns the resource), or to the protected resources previously arranged with the OAuth service.
Client credentials are used as an authorization grant typically when the OAuth client is acting on its own behalf (the OAuth client is also the resource owner), or is requesting access to the protected resources based on an authorization previously arranged with the OAuth service. Only confidential OAuth clients can use the client credentials grant type.
How the Client Credentials Grant Works
- The client requests an access token from the OAuth service by providing its credentials.
- The OAuth service authenticates the client, and if valid, supplies an access token.