Intro
This page explains how to use OAuth2.0 Client Credentials grant (defined within the RFC6749) with GEANT AAI Service.
Info |
---|
OAuth2.0 Client Credentials grant is used when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server. |
Note |
---|
Please note that the client acts on behalf of itself in this grant, so the access token issued by the Authorization Server reflects the identity of the service account (client) regardless of whether the flow was triggered by the end user's interaction with the client or is a result of client's background processing. |
Support
In order to check whether the Client Credentials grant is supported by the particular instance of the Authorization Server, server metadata needs to be checked.
Although the Client Credentials grant is an OAuth2.0 grant, information on support should be checked in the OpenID Connect Configuration as the Authorization Server is not publishing a separate OAuth2.0 Authorization Server Metadata.
Client Credentials grant is advertised in the metadata by the client_credentials entry in the grant_types_supported property.
OpenID Connect configuration for eduTEAMs can be found at https://proxy.aai.geant.org/.well-known/openid-configuration.
Client registration
Willingness to use the Client Credentials grant needs to be expressed at the moment of registration of the client in the GEANT AAI Service and for obvious reasons applies only to confidential clients.
You can find more information about the process of client registration at How to connect a new service to the Geant AAI Service.
Supported client authentication methods
Currently, only password-based authentication methods are supported (see section 2.3.1 of the OAuth 2.0 Authorization Framework - RFC6749 specification for more details).
References
- The OAuth 2.0 Authorization Framework (RFC6749): https://datatracker.ietf.org/doc/html/rfc6749