OAuth2 - Client Credentials
The Client Credentials flow is intended for server-side (AKA "confidential") client applications with no end user, which normally describes machine-to-machine communication.
The application must be server-side because it must be trusted with the client secret. It cannot be used by an actual end user as the credentials are hard-coded. In other terms, the Client Credentials grant type can be used when applications request an access token to access their own resources, not on behalf of a user.
It involves a single authenticated request to the /token endpoint which returns an access token.
Configuration steps to set up an OAuth2 authentication using the client credentials grant type:
- Application registration: authorizes the client to the target service
- Datasource configuration: configure the datasource in Elements Connect
- Access token retrieval: retrieve access token after requesting it to the authorization server
Let's take the example of connecting to Okta's REST API using the client credentials grant type:
The Client Credentials flow doesn't support refresh tokens. The client is already trusted by the authorization, simply requesting a valid access token when the previous one expires is enough.
Configuration steps
1. Application Registration
Before using OAuth2 with Elements Connect, the first step is to register Elements Connect as an Application with the service.
This is done through a registration form, where the following information shall be provided:
- Application Name: to identify the Application, i.e.: Elements Connect
- Grant types: client_credentials
- Granted scopes: to set the access level of Elements Connect
Once the Application is created and configured, the Client secret and Client ID are generated.
These values will be needed for the next step.
2. Datasource configuration
- From Elements Connect administration page, create a new Datasource of type "URL".
- From the datasource configuration page, select OAuth2 - Client credentials from Authentication
This will display the following fields
Every REST API has specific parameters:
Parameter | Description |
---|---|
Access token URL | The access token URL is provided by your remote service. Usually the endpoint ends with /token. |
Client ID | Unique identifier for the client |
Client Secret | Secret code provided at the same time as the Client identifier above. |
Scopes (optional) | Specifies the access level that Elements Connect is requesting. The access token issued to the application will be limited to the scopes granted. |
3. Access token retrieval
The next step is to request an access token in order to be authorized to access the resources of the resource server.
- When all fields have correctly been filled, click "Get access token"
A "Valid access token" status will display if the access token was successfully retrieved. In the event where the access token has an expiry date, this date will be displayed alongside the status.
In the event where the access token has an expiry date, a new access token will be automatically requested without user's interaction.
- Click "Save". The fetched token will be stored next to the datasource configuration in the database.