OAuth2 Client Credentials Grant

In the client credentials flow a client authorizes with the authorization server. After that an access token is issued. The access token can then be used to access a resource.

This flow is suitable in situations when there is a trust relationship between the resource owner and the client. The client accesses the resource without user credentials ( anonymous access ).

Securing an API using OAuth2 and Membrane

You can secure your APIs with OAuth2 using Membrane Service Proxy. This page describes how to use Membrane for Single Sign On ( SSO ) using RFC 6749. One Membrane installation can act as combined authentication and authorisation server. A second Membrane installation can act as a token validation server protecting the API server. Membrane contains everything you need for OAuth2. There is no need to modify the API server in order to protect it.

The figure shows an example setup to protect an API using OAuth2 and Membrane:

Figure1: Using OAuth2 to secure an API server

The following steps are realised:

1. The client submits its client id and client secret as a token request to the authorization server.
2. The authorization server validates the request and responds with an access token.
3. The client calls the API by appending the access token to the request.
4. The token validator sends the access token to the authorization server.
5. The authorization server validates the access token and responds with the validation result.
6. + 7. + 8. Access is granted and the API is called.

Deployment Options

One Membrane installation can be used as a combined authorization server and token validator. But you can also combine an authorization server from a different vendor with a Membrane token validator or vice versa.

Getting Started

• See the example in $MEMBRANE_HOME/examples/oauth2/credentials
• OAuth2 client credentials example