Calling APIs from a Service
The OAuth 2.0 grant that machine-to-machine interfaces utilize in order to access an API, is the Client Credentials Grant.
With Client Credentials Grant (defined in RFC 6749, section 4.4) a Client can directly request an
access_token to the Authorization Server by using its Client Credentials (a Client Id and a Client Secret). Instead of identifying a Resource Owner, this token will represent the Client itself.
- The Client authenticates with the Authorization Server using its Client Id and Client Secret
- The Authorization Server validates this information and returns an
- The Client can use the
access_tokento call the Resource Server on behalf of itself
This flow is not redirect based but is an API call made by the Client to the Authorization Server. And finally the resulting access token can be used by the Client to call the Resource Server.
- Allow the Client to make calls to the Resource Server on its own behalf (machine to machine)
- APIs and services that are not user centric