OAuth provides a standardized way for clients to obtain authorization to access resources on behalf of users or machines.
For user-based authorization, the user is directed to the /connect/authorize endpoint of an authorization server.
For machine-to-machine scenarios, authorization is typically obtained by sending a client_id and client_secret
to the /connect/token endpoint.
These various methods of obtaining authorization are referred to as "flows".
When a client obtains credentials directly from the /connect/token endpoint using a client_id and
client_secret to represent a machine, this is known as the "Client Credentials Flow".
This flow is defined in RFC 6749, specifically in Section 1.3.4:
The client credentials (or other forms of client authentication) can be used as an authorization grant when the authorization scope is limited to the protected resources under the control of the client, or to protected resources previously arranged with the authorization server. Client credentials are used as an authorization grant typically when the client is acting on its own behalf (the client is also the resource owner) or is requesting access to protected resources based on an authorization previously arranged with the authorization server.
In the Client Credentials Flow, the client sends a POST request to the /connect/token endpoint.
The request includes the client_id and client_secret encoded in a Basic Authorization header,
along with the grant_type=client_credentials parameter in the request body.
If the credentials are valid, the authorization server responds with an access token, which the client can then use to authenticate
requests to protected resources.
Example of obtaining an access_token using the client_credentials flow:
curl --request POST \ --url https://example.sandbox.entrypage.io/connect/token \ --header "Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data "grant_type=client_credentials"
Example response:
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600
}
Client credentials are intended to be used only by confidential clients. Client secrets must never be exposed to end-users and should be treated with the same level of security as passwords, since they represent a trusted principal.
As such, client credentials must be stored securely using secret management systems such as Docker Secrets, Azure Key Vault, HashiCorp Vault, or similar solutions.
In some cases, a client_id and client_secret may not provide sufficient security to meet certain requirements.
In such cases, some authorization servers support client authentication via an x.509 certificate.
By using mutual TLS (mTLS), the server can verify the client's identity and issue a token if the certificate is valid.
This method is described in RFC 8705.
The Client Credentials Flow is designed specifically for confidential clients—services that are trusted to securely store and manage their own credentials. It is used when the client is acting on its own behalf and needs to access its own resources, rather than on behalf of an end user.
As such, this flow is typically used for machine-to-machine communication in scenarios like backend services accessing databases or APIs, or when automating system tasks that require authentication without user interaction.
Written by: Albert Starreveld
IAM Architect / Cloud Architect / Founder @ Entrypage.io
Published on: 24-04-2025