OAuth2 client credentials


So right now I’m implementing oauth2 in my server, but I just want to support the client_credentials grant. The thing is, the node-oauth2-server says that supports this type of grant, and I pretty much debugged the whole library, and there are some things that doesn’t make sense to me.

As far as I understand, the client_credentials grant should work like this:

  1. An internal request should be made to generate the client_id and client_secret for the client, this is the only time we will get the client_secret and we should give this to our client
  2. The client_id should be stored in database with any extra data (like the account id associated or something like this) and a hash of client_secret so we can later validate it
  3. The client sends a request to the server including the client_id and client_secret
  4. The server should then generate an access token (in my case I will be using JWT) and return from the request. We also need to store this token in database so we can revoke the permission if needed
  5. The client must use this access token in future requests to access resources from server, and the server will validate on each request if the token is valid (didn’t expire, didn’t lose permissions, etc)

I may be wrong about this, but this is what I need and this exactly what C# Identity does and it is explained here.

In my case I’m working with nodejs. Actually is a NestJS project, so I was trying to use this lib which is basically a wrapper for node-oauth2-server, and if you take a look inside node-oauth2-server, looks like they only support authorization codes, this is because the AuthorizeHandler.handle() always returns an authorization code and AuthenticateHandler.handle() always expects the authorization code and returns the access token. Basically I need to call the AuthenticateHandler.handle() but instead of checking the authorization code, I must pass and check the client_id and client_secret.

This is a recent issue which has the exact same issue than me: https://github.com/oauthjs/node-oauth2-server/issues/552

So, first, I want to confirm that I’m right and this lib have this implemented in a bad way, and second, is there any other nodejs lib that has client_credentials built in?


As you’ve mentioned that it doesn’t support client_credentials grant at the moment, you can still utilize the authorization code flow grant type internally to get the access token.

  • Prepare client_credentials grant type request and submit to server.
  • Map this request to authorization code flow with additional
    attributes require for the authorization code flow.
  • Submit the request to Authorization server.
  • Get the code from response.
  • Prepare the token exchange call with the oauth code.
  • Get the access_token.
  • Return the token in response to client_credentials call.

Answered By – harry

Answer Checked By – Robin (AngularFixing Admin)

Leave a Reply

Your email address will not be published.