Client Credentials Grant
Client credentials can be used when the authorization scope is limited to the protected resources belonging to the client. Client credentials are used as an authorization grant when the client requests access to protected resources based on an authorization previously arranged with the authorization server. The client application requests an access token from the authorization server, authenticating the request with its client key and client secret. If the client is successfully authenticated, an access token is returned.
Please refer to the WSO2 IS documentation for a detailed explanation on this grant type with the use of a sequence diagram.
Invoking the Token API to generate the tokens
- Get a valid consumer key and consumer secret pair. Initially, you generate these keys through the API Store by clicking Generate Keys on the Production Keys tab of the application.
- Combine the consumer key and consumer secret keys in the format
consumer-key:consumer-secret
and encode the combined string using base64 (http://base64encode.org). Use the following sample cuRL command to obtain the access token.
The following command can be used to obtain the access token by specifying the scope.
curl -k -d "grant_type=client_credentials&scope=test" -H "Authorization: Basic <ConsumerKey:ConsumerSecret>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
Tip: We use the Client Credentials grant type to regenerate access tokens for an application through the API Store. Therefore, you should enable this grant type to the application. To do that, go to the API Store, click the application name from under the APPLICATIONS menu, click the Production Keys tab, and select the Client Credentials check box under Grant Types.
Setting a custom validity time for access tokens
You can set a validity period for access tokens through a cURL command. Pass the validity_period parameter as shown in the example below.
curl -X POST -k -H "Authorization: Basic <Base64(clientId:clientSecret)>" -d "grant_type=client_credentials&validity_period=<custom_validity_time_in_seconds>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token -v
Note that for users to be counted in the Registered Users for Application statistics which takes the number of users shared each of the Application, they should have to generate access tokens using Password Grant type.