August 23, 2023

Oauth 2.0 Client Credentials Grant

Used for machine-to-machine communication

Client needs to hold secrets, since Access Token is directly exposed

https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2

     POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=client_credentials

   grant_type
         REQUIRED.  Value MUST be set to "client_credentials".

   scope
         OPTIONAL.  The scope of the access request as described by
         Section 3.3.

$ curl -s -X POST \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -u 'spring-boot3-oauth2-login:jO09Uwhi8oxTL3QnTKtYZ20ByQvB2qA0' \
  http://localhost:8180/auth/realms/demo/protocol/openid-connect/token \
  -d "grant_type=client_credentials&scope=openid&client_id=spring-boot3-oauth2-login" | jq -r
{
  "access_token": "eyJhbGci...tYfo6rEPEakNg",
  "expires_in": 180,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "id_token": "eyJhbGci...KaoQ",
  "not-before-policy": 0,
  "scope": "openid email profile"
}

Parsed Access Token

{
  "exp": 1692791418,
  "iat": 1692791238,
  "jti": "a30d999e-2b26-4720-92a1-d907161675a0",
  "iss": "http://localhost:8180/auth/realms/demo",
  "aud": "account",
  "sub": "0fb7c670-ae44-412c-9da1-cf150eb0c327",
  "typ": "Bearer",
  "azp": "spring-boot3-oauth2-login",
  "acr": "1",
  "allowed-origins": [
    "http://localhost:8080"
  ],
  "realm_access": {
    "roles": [
      "offline_access",
      "default-roles-demo",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "email_verified": false,
  "clientId": "spring-boot3-oauth2-login",
  "clientHost": "127.0.0.1",
  "preferred_username": "service-account-spring-boot3-oauth2-login",
  "clientAddress": "127.0.0.1"
}

Compare with OAuth 2.0 Resource Owner Password Credentials Grant where the Access Token is request for a logged in user

curl -s -X POST \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -u 'spring-boot3-oauth2-login:jO09Uwhi8oxTL3QnTKtYZ20ByQvB2qA0' \
  http://localhost:8180/auth/realms/demo/protocol/openid-connect/token \
  -d "grant_type=password&username=john&password=changeit" | jq -r
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)