Overview of the client credentials grant
Figure 6 from RFC 6749
The steps are as follows:
- A: The client authenticates with the service provider and requests an access token from the service provider's token endpoint.
- B: The service provider authenticates the client, and if valid, issues an access token.
Authorization request and response
Since the client is requesting on their own behalf, no further authorization is needed.
Access token request
The client makes a POST request to the service provider's token endpoint passing in the following parameters encoded using the application/x-www-form-urlencoded format, as described in Appendix B of the specification:
grant_type: (Required) The value must be set toclient_credentialsscope: (Optional) A list of space-delimited, case-sensitive strings that represent the scope of the access request
As part of this request, the client application must also authenticate with the service provider. This is typically done using the HTTP basic authentication...
