Client credentials flow for OpenId Connect and OAuth 2.0

Client credentials flow for OpenId Connect and OAuth 2.0

Overview

With the Client Credentials Flow (defined in RFC 6749, section 4.4) a Non Interactive Client (a CLI, a daemon, or a Service running on your backend), can directly ask Identify for an access_token by using its Client Credentials (Client Id and Client Secret) to authenticate. In this case the token represents the Non Interactive Client itself, instead of an end user.

How to implement the Client Credentials Grant

The Client's Grant Type property is set appropriately

The grant_type property must be set to client_credentials

Register the Client Id and Client Secret in Identify

From the Safewhere Admin applications list, you can create an OAuth2.0 application, then open its subtabs and update the following:

  • On its connection tab:
    • Client ID: Specifies the unique ID of the application. Client ID is case-sensitive.
    • Client secret: Specifies the Client secret of the application. Client secret is case-sensitive.
    • Token endpoint authentication method: Specifies the client authentication method to the token endpoint.
    • Allowed Callback URIs: Specifies the redirect URL after successful authentication, e.g https://identifydomain/runtime/
    • Application name: Specifies the name of the application
    • Set the audience field of tokens which are issued for the application: Specifies the the recipients (usually in URI format) that issued access tokens are intended for.

swadmin-oauth2-client-credential-connection

  • On its security tab:
    • JWS algorithm: Either RSASigning or HMACSymmetric.
    • Symmetric signing key: Used to generate a HMAC Symmetric signing key; key can be 32-byte, 48-byte, or 64-byte. You can then either copy the key and paste it to the configuration or check the appropriate check box and click Select key to apply it.
    • Allow client credentials flow: This setting must be True.

swadmin-oauth2-client-credential-security

Ask for a Token

To ask Identify for tokens for any of your authorized client applications, perform a POST operation to the token endpoint:

URI parameters:

Parameter Description
client_id Your application's Client ID.
client_secret Your application's Client Secret.
grant_type This must be "client_credentials".

Here is sample:

oauth2-token-client-credential

The response contains a signed JSON Web Token, the token's type (which is Bearer), and in how much time it expires in Unix time (3600 seconds, which means 1 hour).

If you decode the access_token, you will see that it contains the following claims:

Tip: to decode a signed JSON Web Token you can use any JSON Web Token decoder tool such as https://www.rcfed.com/OAuth/JWTTokenDecode. Beware that some websites send your data to their servers though.

Claim Transformation Support

Claim Transformations are steps in the claim pipeline that transform the claim set attached to a token. The way in which this transformation is done depends on the type of Claim Transformation object. You can set up claim pipeline transformation rules that can be attached to any of your authorized client applications.

Given that you have a JWT token like below:

Because the Client credentials flow has no user context, only certain claims transformations can be used.

Add Value claim transformation

You can set up an Add Value claim transformation.

add-value-claim-transformation-configuration

Then attach the Add Value claim transformation to your OAuth 2.0 application.

add-value-claim-transformation-application-configuration

Finally, send a request to get an access_token and check its content:

Scripting claim transformation

Set up a Scripting claim transformation.

scripting-claim-transformation-application-configuration

Attach the Scripting claim transformation to your OAuth 2.0 application.

scripting-claim-transformation-configuration

Finally, send a request to get an access_token and check its content:

Mapping claim transformation

Before trying out the Mapping claim transformation, you can use the Add Value claim transformation above to add some claim values first.

mapping-claim-transformation-configuration

Set up a Mapping claim transformation.

mapping-claim-transformation-configuration-1

Attach the Mapping claim transformation to your OAuth 2.0 application.

mapping-claim-transformation-application-configuration

Finally, send a request to get an access_token and check its content:

Claim Filter claim transformation

Set up a Claim Filter claim transformation.

claim-filter-transformation-configuration

Attach the Claim Filter claim transformation to your OAuth 2.0 application.

claim-filter-claim-transformation-application-configuration

Finally, send a request to get an access_token and check its content:

External Claims claim transformation

Set up an External Claims claim transformation.

external-claims-transformation-configuration

Attach the External Claims claim transformation to your OAuth 2.0 application.

external-claim-transformation-application-configuration

Finally, send a request to get an access_token and check its content:

Remove Duplicate claim transformation

Before trying out the Remove Duplicate claim transformation, you can add some duplicate values to a claim type (e.g: "title") by using the Add Value claim transformation above

remove-duplicate-claim-transformation-configuration

Set up a Remove Duplicate claim transformation.

remove-duplicate-transformation-configuration-1

Attach the Remove Duplicate claim transformation to your OAuth 2.0 application.

remove-duplicate-transformation-application-configuration

Finally, send a request to get an access_token and check its content:

Exclude Identify Claims claim transformation

Set up an Exclude Identify Claims claim transformation.

exclude-claims-transformation-configuration

Attach the Exclude Identify Claims claim transformation to your OAuth 2.0 application.

exclude-claim-transformation-application-configuration

Finally, send a request to get an access_token and check its content:

"Exclude Passthrough Claims" claim transformation

Set up an Exclude Passthrough Claims claim transformation.

exclude-passthrough-transformation-configuration

Attach the Exclude Passthrough Claims claim transformation to your OAuth 2.0 application.

exclude-passthrough-transformation-application-configuration

Finally, send a request to get an access_token and check its content: