1. Oracle Identity Cloud Service REST APIREST API for Oracle Identity Cloud Service
  2. Managing Authorization
  3. Access Grant Types
  4. Client Credentials Grant Type
  5. Example Authorization Flow

Example Authorization Flow

The Client Credentials grant type provides a specific grant flow in which the Resource Owner is not involved. In this scenario example, the client application is executing processes that do not have Resource Owner participation, for example, a batch process or a server-to-server task.

When using this grant, the client application requests an access token with its own credentials (the ID and secret) or an assertion, and uses the access token on behalf of the client application itself. This grant flow is best suited when a Service Provider wants to provide some API methods that are to be used by the client application in general, instead of methods that apply to a certain Resource Owner, for example, API methods for maintenance.

When you create an application using the Client Credentials grant type in the Oracle Identity Cloud Service administration console UI:

  • Specify Trusted Application as the application type, because a mobile/browser application does not have a client secret and cannot use the Client Credentials grant.

  • Select Client Credentials as the grant type.

See Client Credentials Grant Type for more information on the Client Credentials grant type and an authorization flow diagram.

Authorization Flow

  1. A client-initiated event (for example, a scheduled task) requests access to protected resources from an OAuth client application.

    The event URL contains query parameters that indicate the type of access being requested:

    Example Request Using the Authorization Header

    curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=client_credentials&scope=<scope value>'

    Example Request Using a JWT Client Assertion

    curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST http://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=client_credentials&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<scope value>'
  2. The client application requests an access token from the Oracle Identity Cloud Service OAuth Authorization Server.
  3. The Oracle Identity Cloud Service OAuth Authorization Server authenticates the client application based on the Authorization header or the assertion sent and returns an access token containing all applicable Oracle Identity Cloud Service scopes based on the privileges represented by the application roles granted to the requesting client application.
  4. The client application uses the access token to perform a request.