What is Client Credentials Flow
The Client Credentials Flow is a common way for machine-to-machine (M2M) communication, often used when an application (like a backend service or API) needs to authenticate itself to another service without involving a user
Key Components
- Client: The application that wants to access service provided by the resource servers.
- Resource Server: The server that hosts the resources the client wants to access.
- Authorization Server: The server that issues access tokens; aka AS/IdP/OP in our environment.
General Steps
- (client) Request an access token
- The client (like an API or backend service) sends a request to IdP's token-endpoint by authenticating itself with cilent_id and client_secret. The IdP validate the credentials and, if they are correct, returns an "Access Token"
- (client) Use the access token
- The client now uses this Access Token to make requests to another service (like a protected API server).
- (resource server) Verify the token
- The resource server verifies the validity of the token presented by the client by sending it to the IdP's introspection endpoint, which authenticates the resource server and checks if the token is still valid, what scopes it has, and its expiration time.
- Based upon the verification, the resource server can decide whether to allow or deny the request from client.
Common Endpoints
login-uat.stanford.edu (UAT)
TOKEN_URL=https://login-uat.stanford.edu/idp/profile/oidc/token
INTROSPECTION_URL=https://login-uat.stanford.edu/idp/profile/oauth2/introspection
REVOCATION_URL=https://login-uat.stanford.edu/idp/profile/oauth2/revocation
