Client Credentials Flow

📘

Prerequisities

1. Setup the OAuth2 client custom application and select auth method as "client creds"

2. Create a confidential client

With the increase in automated devices, the scope for M2M communication has reached multiple parts such as communication between two backend devices, service-to-service communication, backend to the demon, CLI client to internal service, etc. In contrast with usual authentication where the user uses a Password or other MFAs to clear authentication, an application or a process needs to be authenticated by establishing trust in the system.

The Client Credentials grant is used for M2M flows when applications request an access token to access protected resources. In this flow, the client application provides a client ID and a client secret to obtain an access token from a tenant. This grant flow is mainly used for machine-to-machine communications.

How does it work?

In this flow,

• The client application (or relying party) requests access tokens from CyberArk Identity.
• CyberArk Identity authenticates the client and returns the access token.
• The client application uses the access token to request protected resources.

Integrate CyberArk Identity's client credentials flow

The first API that is invoked is /token/. The header is set to Authorization Basic and is followed by a Base64-encoded string constructed from the client ID and client secret separated by a ":" character:

Header: Authorization Basic <Client ID:Client Secret (Base64 encoded)>

The body of the request specifies a grant_type of client_credentials, and optionally, a scope:

https://<yourtenant>/oauth2/token/<your app ID>

Header: Authorization Basic <Client ID:Client Secret (Base64 encoded)>

{
    "grant_type":"client_credentials",
    "scope":"myscope"
}

The response contains an access_token for use in subsequent API calls, as well as information about the token's expiration time, the scope for which access was granted, and the type of token issued:

{
    access_token = "abc1234asdf9823...",
    expires_in=18000,
    scope="myscope",
    token_type="Bearer"
}

The token can then be used in subsequent API calls by including it in the Authorization header along with the type of token. For example:

https://<yourtenant>/cdirectoryservice/createuser

Header: Authorization Bearer abc1234asdf9823...

{
    "Name":"John",
    ...
}

.

👍

Integrate client credentials flow using CyberArk Identity SDKs

• Java SDK for web applications: https://identity-developer.cyberark.com/docs/add-oauth-flows-for-m2m-flows

• JS SDK: https://identity-developer.cyberark.com/docs/cyberark-identity-javascript-sdk#instantiate-oauth-client-library