TLS Client Authentication Grant Type
Use the Transport Layer Security (TLS) grant type when the authorization scope is limited to the protected resources under the control of the client or to protect resources registered with the OAuth Authorization Server.
The following diagram displays the TLS Client Authentication Grant Type flow.

In this OAuth flow:
Note:
Prerequisite: Upload the client certificate to the client certificate store.- As part of the TLS handshake, the client application presents its own certificate and Client ID to obtain an access token. Note: This certificate must match the certificate in the client certificate store.
- This requested access token is either associated with the client's own resources, and not a particular resource owner, or is associated with a resource owner for whom the client application is otherwise authorized to act.
- The Authorization Server returns the access token to the client application only after successful certificate validation.
- The client application uses the access token in an API call to update the app.
Function | Available |
---|---|
Requires client authentication | Yes |
Requires client to have knowledge of user credentials | No |
Browser-based end user interaction | No |
Can use an external Identity Provider for authentication | No |
Refresh token is allowed | No |
Access token is in the context of the client application | Yes |
See TLS Client Authentication Grant Type authorization flow for an example flow.