Integrate OAuth 2.0 M2M flow

📘

PREREQUISITE

  1. Setup OpenID Connect (OIDC) custom application in CyberArk Identity tenant
  2. Install the CyberArk Identity Java SDK

With the increase in automated devices, the scope for M2M communication has reached multiple parts such as communication between two backend devices, service-to-service communication, backend to demon, CLI client to internal service, etc. In contrast with usual authentication where the user uses a Password or other MFAs to clear authentication, an application or a process needs to be authenticated by establishing trust in the system.

The Client Credentials grant is used for M2M flows when applications request an access token to access protected resources. In this flow, the client application provides a client ID and a client secret to obtain an access token from a tenant. This grant flow is mainly used for machine-to-machine communications.

This guide describes how client credentials flow can be integrated with CyberArk Identity using the CyberArk Identity Java SDK.

Configure an OAuthClient instance

Configure the OAuthClient object by providing the OAuth 2.0 application details that will allow the client application to make authorized API requests.

import com.cyberark.client.OAuthClient;

// provide confidential client details for client_id and client_secret
OAuthClient oauthClient = new OAuthClient(YOUR_TENANT_URL, YOUR_OAUTH_APPLICATION_ID, YOUR_CONFIDENTIAL_CLIENT_ID, YOUR_CONFIDENTIAL_CLIENT_SECRET);

Constructor parameters:

ParameterDescriptionRequired
tenantURLCyberArk Identity Application URLYes
applicationIdOAuth client Application ID.
This value can be found at OAuth client Application Settings section.
Yes
clientIdService usernameYes
clientSecretService user passwordYes

Token request

The client can get the tokens for M2M applications using the following method:

TokenHolder tokenHolder = oauthClient.requestTokenWithClientCreds()
    .setGrantType("client_creds")
    .setScope(YOUR_SCOPE)
    .execute();

Parameters can be added to the token URL using the builder methods as shown below.

// Sets the client id.
TokenRequest setClientId(String clientId);

// Sets the client secret.
TokenRequest setClientSecret(String clientSecret);

// Sets the grantType to client_creds.
TokenRequest setGrantType(String grantType);

// Sets the scope value.
TokenRequest setScope(String scope);

Explore the client credentials flow in Java angular sample app

📘

Prerequisite

  1. Setup OpenID Connect (OIDC) custom application in CyberArk Identity tenant
  2. Install the CyberArk Identity Java-angular sample app
  3. Setup the Java-angular sample app

After successful login to the sample app, select Machine To Machine card as highlighted below.

932932

From the drop-down, select Client Creds and hit Build Token URL.

851851

👍

Note

  1. This Build Token URL triggers an API that uses data provided in Settings page.

  2. A preview of Token Endpoint and payload information is displayed for the user, which can be used as a reference pattern for incorporating M2M flow in your personalized custom apps.

10631063

Upon clicking submit, an access token can be obtained.

460460