1. Oracle Identity Cloud Service REST APIREST API for Oracle Identity Cloud Service
  2. Managing Authorization
  3. Access Grant Types
  4. TLS Client Authentication Grant Type
  5. Example Authorization Flow

Example Authorization Flow

The Transport Layer Security (TLS) Client Authentication grant type provides a specific grant flow in which the Resource Owner is not involved. In this scenario, the client application is running processes that don't have Resource Owner participation, for example, a batch process or a server-to-server task.

When using this grant type, the client application requests an access token with its own certificate (the certificate that is uploaded in the client profile) together with the Client ID and uses the access token on behalf of the client application itself. This grant flow is best suited when a Service Provider wants to provide some API methods that are to be used by the client application in general, instead of API methods that apply to a certain Resource Owner, for example, API methods for maintenance.

When you create an application using the TLS Client Authentication grant type in the Oracle Identity Cloud Service administration console user interface:
  • Specify Confidential Application as the application type. Mobile/browser applications don't have a client certificate and cannot use the TLS Client Authentication grant type.
  • Select TLS Client Authentication as the grant type.
  • Select Trusted or Confidential as the Client Type.
  • Import the Client Certiifcate. This certificate is used to validate the token request. Note: The client must use this same certificate in the token request.
  • For certificate revocation checking, you can configure a trusted partner certificate. See Enable X.509 Certificate Authentication.

See TLS Client Authentication Grant Type for more information on the TLS Client Authentication grant type and an authorization flow diagram.

  1. A client-initiated event (for example, a scheduled task) requests access to protected resources from an OAuth client application.

    The event URL contains query parameters that indicate the type of access being requested:

    Example Request Using the Authorization Header

    Note:

    cacert.crt is the CA certificate that signed the server's certificate for this TLS.

    client.key is client private key.

    client.crt is client certificate. 

    curl -i
--cacert cacert.crt --key client.key --cert client.crt
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'--request POST https://<IDCS-Service-Instance>.secure.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=tls_client_auth&client_id=<client ID>&scope=<scope value>'
  2. The client application requests an access token from the Oracle Identity Cloud Service OAuth Authorization Server.
  3. The OAuth Authorization Server:
    1. Authenticates the client application based on the certificate sent as part of TLS handshake.
    2. Returns an access token containing all applicable Oracle Identity Cloud Service scopes based on the privileges specified by the application roles granted to the requesting client application.
  4. The client application uses the access token to perform a request.