Intro
This page explains how to use OAuth2.0 Client Credentials grant (defined within the RFC6749) with the GEANT AAI Service.
Info |
---|
OAuth2.0 The Client Credentials grant is used when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization servertype in OAuth 2.0 is suitable when the application (rather than the user) needs to access the data of another service.
|
Note |
---|
Please note that in this grant the client acts on behalf of itself in this grant, so the access . The access_token issued by the Authorization Server reflects the identity of the service account (the client) regardless of whether the flow was triggered by the end user's interaction with the client or is a result of client's background processing. |
Examples
This section contains some practical examples of where the Client Credentials grant can be effectively utilized along with sequence diagrams depicting the flow.
Background Jobs
Scenario
Applications often run jobs like data synchronization, backups, or batch processing tasks that require access to APIs (other client integrated with GEANT AAI Service) but are not triggered by a specific user action. The Client Credentials grant provides a way for these jobs to authenticate against the necessary services without requiring user interaction, streamlining automated processes within the application's ecosystem.
Sequence diagram
Aggregated Data Services
Scenario
Services that aggregate data from multiple sources (other clients integrated with GEANT AAI Service) and provide a unified API to clients can use Client Credentials to authenticate with those sources. This is common in financial services, market data analysis, or news aggregation platforms where the data needs to be fetched regularly and reliably without user involvement.
Sequence diagram
Example requests
Client Credentials flow
Code Block | ||||
---|---|---|---|---|
| ||||
curl -X POST "https://proxy.aai.geant.org/OIDC/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&scope=api" |
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
{ "access_token": "eyJhbGciOiJFUzI1NiIs...", "token_type": "access_token", "scope": "api", "expires_in": 3600 } |
Token introspection
Code Block | ||||
---|---|---|---|---|
| ||||
curl -X POST "https://proxy.aai.geant.org/OIDC/introspect" \
-H "Authorization: Basic Q0xJRU5UX0lEOkNMSUVOVF9TRUNSRVQ" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=eyJhbGciOiJFUzI1NiIs..." |
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
{
"active": true,
"scope": "api",
"client_id": "<CLIENT_ID>",
"exp": 1715761201,
"iat": 1715757600,
"iss": "https://proxy.aai.geant.org",
"token_type": "Bearer"
} |
Support
In order to check whether the Client Credentials grant is supported by the particular instance of the Authorization Server, server metadata needs to be checked.
Although the Client Credentials grant is an OAuth2.0 grant, information on support should be checked in the OpenID Connect Configuration as the Authorization Server is not publishing a separate OAuth2.0 Authorization Server Metadata.
Client Credentials grant is advertised in the metadata by the client_credentials entry in the grant_types_supported property.
OpenID Connect configuration for eduTEAMs GEANT AAI Service can be found at https://proxy.aai.geant.org/.well-known/openid-configuration.
Client registration
Willingness to use the Client Credentials grant needs to be expressed at the moment of registration of the client in the GEANT AAI Service and for obvious reasons applies only to confidential clients.
You can find more information about the process of client registration at How to connect a new service to the Geant AAI Service.
Supported client authentication methods
Currently, only password-based authentication methods are supported (see section 2.3.1 of the OAuth 2.0 Authorization Framework - RFC6749 specification for more details).
References
- The OAuth 2.0 Authorization Framework (RFC6749): https://datatracker.ietf.org/doc/html/rfc6749