Use the client credentials flow

This topic describes how the client credentials flow works.

Before you begin

  1. Set up the OAuth2 client custom application and select the auth method as client creds.

  2. If you want to create access tokens for your machine-to-machine (M2M) applications such that clients can access your APIs, set up OAuth2 server custom application and select the auth method as client creds.

  3. Create a confidential client.

With the increase in automated devices, the scope for M2M communication includes communication between two back end devices, service-to-service communication, back end to demon, CLI client to internal service, and so on. In contrast with manual authentication where the user uses a password or other MFAs to clear authentication, an application or a process needs to be authenticated by establishing trust in the system.

The client credentials grant is used for M2M flows where applications request an access token to access protected resources. In this flow, the client application provides a client ID and a client secret to obtain an access token from a tenant. This grant flow is mainly used for machine-to-machine communications.

How it works

In this flow:

  1. The client application (or relying party) requests access tokens from CyberArk Identity.

  2. CyberArk Identity authenticates the client and returns the access token.

  3. The client application uses the access token to request protected resources.

Integrate the CyberArk Identity client credentials flow

The first API that is invoked is /token/. The header is set to Authorization Basic and is followed by a Base64-encoded string constructed from the client ID and client secret separated by a ":" character:

Header: Authorization Basic <Client ID:Client Secret (Base64 encoded)>

The body of the request specifies a grant_type of client_credentials, and optionally, a scope:

https://<yourtenant>/oauth2/token/<your app ID>

Header: Authorization Basic <Client ID:Client Secret (Base64 encoded)>

{

"grant_type":"client_credentials",

"scope":"myscope"

}

The response contains an access_token for use in subsequent API calls, as well as information about the token's expiration time, the scope for which access was granted, and the type of token issued:

{

access_token = "abc1234asdf9823...",

expires_in=18000,

scope="myscope",

token_type="Bearer"

}

You can then use the token in subsequent API calls by including it in the authorization header along with the type of token. For example:

https://<yourtenant>/cdirectoryservice/createuser

Header: Authorization Bearer abc1234asdf9823...

{

"Name":"John",

...

}