Client Credentials Flow: Obtain Access Token

Authenticate client applications using Client Credentials flow and get access tokens for Connect API access.
﻿
Raidiam recommends reading the Obtaining Access Tokens﻿  article first to learn about used specifications, all available access scopes and what they enable, and more.
sequenceDiagram
autonumber
participant app as Client Application
participant as as Raidiam Authorisation Server
participant api as Connect APIs
app->>as: /token
Note over app, as: tls_client_auth or private_key_jwt<br />as client auth method
Note over app, as: grant_type=client_credentials
Note over app, as: client_id=$client_id
Note over app, as: scope=directory:software
as->>as: Verify request
as->>app: Access Token
app->>api: Access API with Token
sequenceDiagram
autonumber
participant app as Client Application
participant as as Raidiam Authorisation Server
participant api as Connect APIs
app->>as: /token
Note over app, as: tls_client_auth or private_key_jwt<br />as client auth method
Note over app, as: grant_type=client_credentials
Note over app, as: client_id=$client_id
Note over app, as: scope=directory:software
as->>as: Verify request
as->>app: Access Token
app->>api: Access API with Token
﻿
Prerequisites
Active and valid Application﻿ (Software Statement)

Active Transport Certificate﻿

If not yet added, request Transport Certificate﻿ for an organisation or an application.

Active Signing Certificate﻿ along with a Public and Private Keys﻿ if your application uses the private_key_jwt client authentication method.

If not yet added, request Signing Certificate﻿ for your organisation or application.
Get Access Token Using CC Flow
1
Add Raidiam's Authorisation Server /.well-known endpoint to your OAuth library configuration.
Your OAuth library should be able to get the server's configuration.
Sample /.well-known: https://auth.sandbox.raidiam.io/.well-known/openid-configuration﻿
The /.well-known endpoint contains all the information about the Authorisation Server﻿ you need to successfully integrate with the server and get access tokens, for example the OAuth Token Endpoint: "token_endpoint": "https://auth.sandbox.raidiam.io/token" or mTLS Endpoint Aliases - for clients authenticating themselves using the tls_client_auth method:
Sample mTLS Endpoint Aliases
  "mtls_endpoint_aliases": {
    "token_endpoint": "https://matls-auth.sandbox.raidiam.io/token",
    "revocation_endpoint": "https://matls-auth.sandbox.raidiam.io/token/revocation",
    "introspection_endpoint": "https://matls-auth.sandbox.raidiam.io/token/introspection",
    "device_authorization_endpoint": "https://matls-auth.sandbox.raidiam.io/device/auth",
    "registration_endpoint": "https://matls-auth.sandbox.raidiam.io/reg",
    "userinfo_endpoint": "https://matls-auth.sandbox.raidiam.io/me",
    "pushed_authorization_request_endpoint": "https://matls-auth.sandbox.raidiam.io/request",
    "backchannel_authentication_endpoint": "https://matls-auth.sandbox.raidiam.io/backchannel"
  }
  "mtls_endpoint_aliases": {
    "token_endpoint": "https://matls-auth.sandbox.raidiam.io/token",
    "revocation_endpoint": "https://matls-auth.sandbox.raidiam.io/token/revocation",
    "introspection_endpoint": "https://matls-auth.sandbox.raidiam.io/token/introspection",
    "device_authorization_endpoint": "https://matls-auth.sandbox.raidiam.io/device/auth",
    "registration_endpoint": "https://matls-auth.sandbox.raidiam.io/reg",
    "userinfo_endpoint": "https://matls-auth.sandbox.raidiam.io/me",
    "pushed_authorization_request_endpoint": "https://matls-auth.sandbox.raidiam.io/request",
    "backchannel_authentication_endpoint": "https://matls-auth.sandbox.raidiam.io/backchannel"
  }
﻿
2
﻿Download Transport Certificate﻿ for your organisation or application and add it to your OAuth library client's configuration.
The Transport Certificate will be used in mutual Transport Layer Security (mTLS) to establish a secure connection between your client and the authorisation server.
Your OAuth client library should be capable of verifying the authorisation server's certificate.
If you are using cURLs to test the integration, you can disable checking the server's certificate using the -k flag or --insecure option.
3
Call the Raidiam's OAuth /token endpoint to authenticate your client.
Utilize the client authentication method configured for your client:
tls_client_auth -- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC8705

If your using the tls_client_auth method, remember to use the mTLS endpoint aliases instead of the regular OAuth token endpoint.

private_key_jwt - Assertion Framework for OAuth 2.0 Client Authentication RFC7521
﻿
cURL to /token Template
curl --location --request POST 'https://{base_url}/token' \
--cert /path/to/your/certificate.pem \
--key /path/to/your/private.key \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={client_id}' \
--data-urlencode 'scope=directory:software' \
curl --location --request POST 'https://{base_url}/token' \
--cert /path/to/your/certificate.pem \
--key /path/to/your/private.key \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={client_id}' \
--data-urlencode 'scope=directory:software' \
﻿
Upon successful validation of the request, the authorisation server issues and returns an access token - in a form of a JWT signed using the algorithm configured for your client (Applications > your application > Advanced Configuration > Token Signed Response Algorithm ID)
﻿
Obtaining Access Tokens
Authorization Code Flow: Obtain Access Token