TLS Client Authentication Grant Type

Use the Transport Layer Security (TLS) grant type when the authorization scope is limited to the protected resources under the control of the client or to protect resources registered with the OAuth Authorization Server.

The following diagram displays the TLS Client Authentication Grant Type flow.

A diagram that illustrates the TLS Client Authentication Grant Type.
In this OAuth flow:

Note:

Prerequisite: Upload the client certificate to the client certificate store.
  1. As part of the TLS handshake, the client application presents its own certificate and Client ID to obtain an access token. Note: This certificate must match the certificate in the client certificate store.
  2. This requested access token is either associated with the client's own resources, and not a particular resource owner, or is associated with a resource owner for whom the client application is otherwise authorized to act.
  3. The Authorization Server returns the access token to the client application only after successful certificate validation.
  4. The client application uses the access token in an API call to update the app.
Function Available
Requires client authentication Yes
Requires client to have knowledge of user credentials No
Browser-based end user interaction No
Can use an external Identity Provider for authentication No
Refresh token is allowed No
Access token is in the context of the client application Yes

See TLS Client Authentication Grant Type authorization flow for an example flow.