Client Credentials Grant

class oauthlib.oauth2.ClientCredentialsGrant(request_validator=None, **kwargs)[source]

Client Credentials Grant

The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).

The client credentials grant type MUST only be used by confidential clients:

+---------+                                  +---------------+
:         :                                  :               :
:         :>-- A - Client Authentication --->: Authorization :
: Client  :                                  :     Server    :
:         :<-- B ---- Access Token ---------<:               :
:         :                                  :               :
+---------+                                  +---------------+

Figure 6: Client Credentials Flow

The flow illustrated in Figure 6 includes the following steps:

  1. The client authenticates with the authorization server and

    requests an access token from the token endpoint.

  2. The authorization server authenticates the client, and if valid,

    issues an access token.

async add_token(token, token_handler, request)
Parameters:

  • token

  • token_handler – A token handler instance, for example of type oauthlib.oauth2.BearerToken.

  • request (oauthlib.common.Request) – OAuthlib request.

async create_authorization_response(request, token_handler)
Parameters:

  • request (oauthlib.common.Request) – OAuthlib request.

  • token_handler – A token handler instance, for example of type oauthlib.oauth2.BearerToken.

async create_token_response(request, token_handler)[source]

Return token or error in JSON format.

Parameters:

  • request (oauthlib.common.Request) – OAuthlib request.

  • token_handler – A token handler instance, for example of type oauthlib.oauth2.BearerToken.

If the access token request is valid and authorized, the authorization server issues an access token as described in Section 5.1. A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in Section 5.2.

prepare_authorization_response(request, token, headers, body, status)

Place token according to response mode.

Base classes can define a default response mode for their authorization response by overriding the static default_response_mode member.

Parameters:

  • request (oauthlib.common.Request) – OAuthlib request.

  • token

  • headers

  • body

  • status

async validate_grant_type(request)
Parameters:

request (oauthlib.common.Request) – OAuthlib request.

async validate_scopes(request)
Parameters:

request (oauthlib.common.Request) – OAuthlib request.

async validate_token_request(request)[source]
Parameters:

request (oauthlib.common.Request) – OAuthlib request.