Chapter 5. Client Credentials Flow

Most of the OAuth flows are for handling delegated authorization, when a resource owner grants access to an application to access her data. However, there are cases when the client itself owns the data and does not need delegated access from a resource owner, or delegated access has already been granted to the application outside of a typical OAuth flow.

This flow (shown in Figure 5-1) works well for similar use cases as the “2-legged” flow in OAuth 1.0.

Client Credentials flow: Step-by-step
Figure 5-1. Client Credentials flow: Step-by-step

When Should the Client Credentials Flow Be Used?

Imagine a storage API, such as Google Storage or Amazon S3. You’re building an application that has resources (data files, images, etc.) stored externally to your app using one of these APIs. The application needs to read and update these resources, but acting on behalf of the app itself rather than on behalf of any individual user. This is a perfect use case for the Client Credentials flow. The application can ask the OAuth authorization server for an access token directly, without the involvement of any end user.

There is another representative case for the Client Credentials flow—when a resource owner has granted an application access to their resources out of band, without using a typical OAuth flow. Google provides a concrete use case in the Google Apps Marketplace. When an application is listed on ...

Get Getting Started with OAuth 2.0 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.