ClientCredentialsOAuth2ClientFilter
Authenticates OAuth 2.0 clients with the OAuth 2.0 client_credentials grant type.
Gets an access token from an Authorization Server with the specified scopes.
Injects the access token into the inbound request as a Bearer Authorization header.
The "endpointHandler" authenticates the client with an client authentication filter,
such as a ClientSecretBasicAuthenticationFilter.
When an access token expires, this filter requests a new access token.
Use this filter in a service-to-service context where a service needs access to resources protected by OAuth 2.0.
Usage
{
"name": string,
"type": "ClientCredentialsOAuth2ClientFilter",
"config": {
"tokenEndpoint": configuration expression<url>,
"clientId": configuration expression<string>,
"scopes": [ configuration expression<string>, ... ],
"endpointHandler": Handler reference
}
}Properties
"tokenEndpoint": configuration expression<url>, required-
The URL to the Authorization Server’s OAuth 2.0 token endpoint.
"clientId": configuration expression<string>, optional-
The OAuth 2.0 client ID.
If you provide this, use the same identifier as you use in the client authentication filter of the
"endpointHandler".
"scopes": array of configuration expression<strings>, optional-
Array of scope strings to request from the Authorization Server.
Default: Empty, request no scopes.
"endpointHandler": Handler reference, optional-
The Handler to exchange tokens on the authorization endpoint.
Configure this property as a Chain, using one of the following client authentication filters:
{ "name": "myHandler", "type": "Chain", "config": { "handler": "ForgeRockClientHandler", "filters": [ { "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "myConfidentialClient", "clientSecretId": "my.client.secret.id", "secretsProvider" : "mySystemAndEnvSecretStore" } } ] } }Default: ForgeRockClientHandler
Examples
Find an example in Client credentials grant with PingAM.