Skip to main content

OAuth 2.0 Client Credentials Grant

The Client Credential Grant is used for authenticating machine-to-machine (M2M) applications. In this flow the Client ID and Client Secret of the OAuth application you registered in EmpowerID is sent to the Token endpoint in exchange for an access token and an ID token (when scope=openid). By default, the access token is issued for the owner of registered OAuth application. This article describes how to use this grant in your applications.

tip

You can download sample .NET framework code at https://dl1.empowerid.com/files/OAuthTestSampleCode.zip.

Client Credential Grant

  1. Enable Client Credential Flow on the OAuth application as described in the Configure Advanced OAuth Flows documentation.

  2. Initiate a request to the EmpowerID Token endpoint, https://<EID Server>/oauth/v2/token

    POST /oauth/v2/token HTTP/1.1
    Host: <EID Server>
    Content-Type: application/x-www-form-urlencoded
    Cache-Control: no-cache

    client_id={The Client ID of the OAuth app you registered in EmpowerID}
    &client_secret={The Client Secret of the OAuth app you registered in EmpowerID}
    &grant_type=client_credentials
    &scope=openid
    &username={EmpowerID person identifier}
    Header ParameterRequired/OptionalDescription
    Content-TyperequiredMust be application/x-www-form-urlencoded.
    Post Body ParameterRequired/OptionalDescription
    client_idrequiredMust be the EmpowerID OAuth application client identifier.
    client_secretrequiredMust be the EmpowerID OAuth application client secret.
    grant_typerequiredMust be client_credentials
    scopeoptionalA space-separated list of strings that the user consents to. Values include openid for OpenID Connect flow.
    usernameoptionalDetermines the identity for whom the access token should be issued. If this value is null or not present, the access token will be issued to the owner of the registered OAuth application.

  3. Returns access token (optionally ID token) in the response

    {
      "access_token": "xxxxxxxxxxxxxxxxxxxxxx",
      "token_type": "Bearer",
      "expires_in": 3600,
      "id_token": "xxxxxxxxxxxxxxxxxxxxxx",
      "id": "xxxxxxxxxxxxxxxxxxxxxx"
    }