Client Credential Flow
- Client requests a protected resource.
- Using client ID and client secret, application makes a request for authorization server and gets back acccess token
- Client ID and Client secre are the application’s credentials. Client credential does not and cannot have a user.
Uses
- Should use when there is no user involved: Microservices and backend services
- API keys are examples of this flow, API keys of Twilio, Salesforce etc.
Benefits of OAuth over API keys
- Simplify with consistent interfaces
- Client rotation, scopes and better tools for OAuth
Security
- Always use SSL/TLS
- Validate tokens before using it
- Client ID and Client secret are not tied to a specific user but potentially all users, therefore you need to log and track its usage
- This flow is the most secure by far