2.1.7.3.4 TLS Client Authentication Grant Type
When to use: For high-security backend integrations using mutual TLS.
Note:
- Access token represents the application, not a user.
- Refresh token returned only if
offline_accessis enabled in app configuration.
Sample code with mTLS enabled
curl --location 'https://<idcs_secure_domain_url>/oauth2/v1/token' --cacert ./ca.crt --cert ./client.crt --key ./client.key --header "Authorization: Basic $encoded" --header 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --data-urlencode 'grant_type=tls_client_auth' --data-urlencode 'scope=<scope_value>%20urn:opc:resource:expiry=3600' --data-urlencode 'client_id=<client_id>'Sample response
{ "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6...", "token_type": "Bearer",
"expires_in": 3600, "refresh_token": "9e7d8f4a-xxxx-xxxx-xxxx-xxxx", }
For more details, see TLS Client Authentication Grant Type.