2. Client Credentials Flow

Overview

The client credentials grant type is used when there is no user present, and the client authenticates itself with the authorization server. In other words, the client credentials grant type is used by client applications to obtain an access token beyond the context of a user, for example, in machine-to-machine environments.

Only confidential clients able to store their credentials securely can use the client credentials flow.

Steps

The client requests an access token by calling the token endpoint of the Authorization Server.

curl -X POST https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/token \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-raw "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"

Authorization server validates the client credentials received in the request.
Authorization server returns the token.
The client requests protected resources from the resource server and submits the token it received in the previous step.
The resource server validates the token and responds with the requested resources.

Use Case

Machine-to-machine communication: You have a backend service, such as a microservice or a daemon, that needs to access secrets stored in Azure Key Vault. The backend service needs to authenticate itself with Azure AD and obtain an access token to securely access the Key Vault without user interaction. This can be achieved using the Client Credentials Flow.

Security

High security: No user involvement, and the credentials can be securely stored on the server.
Uses the token issued to the Client Application. (no user token involved here)