Client Credentials Grant
Aidbox supports machine to machine (m2m) authentication via client credentials oAuth 2.0 flow
The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user (for example, background services and daemons). It must be used only by confidential clients.
Aidbox OAuth module supports Client Credentials Grant flow in different formats. The first one is in strict adherence to specification for better compatibility. The second one uses JSON request as a more modern and simple way. Read the official OAuth 2.0 specification for more details.
Easy way
The easiest way to test Client Credentials Grant flow is to run through the Aidbox Sandbox UI (Auth -> Sandbox -> Client Credentials).
Configure Client
To start using this flow you have to create and configure Client. The only required parameters is secret
and you also have to enable this flow for client by grant_types: ['client_credentials']
You can also configure token's format and expiration, as well refresh the token:
attribute | options | desc |
---|---|---|
auth.client_credentials.token_format | jwt | use access token in jwt format |
auth.client_credentials.access_token_expiration | int (seconds) | token expiration time from issued at |
auth.client_credentials.refresh_token | true/false | enable refresh_token |
auth.client_credentials.refresh_token_expiration | int (seconds) | refresh token expiration time from issued or last usage |
Since by default new client has no access to any resources, you probably want to configure AccessPolicy for this specific client:
Get Access Token
The next step is to exchange client id and secret for Access Token.
Using Authorization header {base64(Client.id + ':' + Client.secret)}
or by JSON request with client_id
and client_secret
in body:
For simple client configuration you will get JSON with access_token in response:
Audience
If you use JWT token format and provide in token request additional parameter audience
, resulting token will set aud
claim into value you've sent.
Using Access Token
You can use access token in Authorization
header for Aidbox API calls:
Refresh Access Token
To get new access token using refresh token
Revoke Access Token (Close Session)
Aidbox create Session (resource) for each Acce∂ss Token that can be closed with the special endpoint DELETE /Session
with the token in the Authorization header:
Session is just Resource and you can inspect and manipulate with sessions by standard Search & CRUD API for example get all sessions - GET /Session
Last updated