Using Feide with Client Credentials Flow¶
OIDC/OAuth defines many different flows, depending on the use case. One of these flows does not include an authenticated end-user. This is called the Client Credentials flow. This flow allows a client to immediately obtain an access token without involving any end users. This flow is typically used in system to system interactions.
Although most of the built in APIs of Feide require the end user to be authenticated, this flow is useful for accessing third party APIs protected by the Feide API Gatekeeper. A good practice when designing APIs to access user data is to prepare for access both from systems and on behalf of authenticated end users.
Registering a client to use with client credentials flow¶
Any client can be used with client credentials flow, and no special steps are needed during registration.
Using Client Credentials flow¶
Here are some references:
To obtain an access token, the client must send a form POST request
application/x-www-form-urlencoded) to the Feide token endpoint with the body
grant_type=client_credentials. The request should be authenticated with basic
authentication with the client id and client secret. Feide will issue a token that
is not associated with any end-user.
Here is an example
curl command to obtain an access token:
export CLIENT_ID=4cc40647-0d56-4de2-9f8f-975ff1ca55a8 export CLIENT_SECRET=b54cbb37-1a75-41bc-8471-c44045d6b0e2 curl -X POST https://auth.dataporten.no/oauth/token -u $CLIENT_ID:$CLIENT_SECRET -d 'grant_type=client_credentials'
Here is an example of expected output:
"access_token": "9c256322-7c11-4220-93d6-fc5ffad3cb13", "token_type": "Bearer", "expires_in": 28799, "scope": "gk_kdto99 gk_tokenissuer"
Accessing protected APIs¶
Notice the scopes for accessing third party APIs. They are all
gk_. Other scopes are mostly relevant only when a user
is authenticated. For example, you may not use the userinfo endpoint
with a token obtained through client credentials flow, even if you have
Accessing a protected third party API using such an access token is no different to using regular access tokens.
GET /foo/bar HTTP/1.1 Host: kdto99.dataporten-api.no Authorization: Bearer 9c256322-7c11-4220-93d6-fc5ffad3cb13
Preparing a third party API for clients¶
When preparing an API for use with a system client, make sure that you verify whether or not the request is a system request or an authenticated user request.
Requests containing an
X-Dataporten-userid header represent an
authenticated user, and requests without this header are system requests
obtained using client credentials flow.
Depending on the use case, access both from systems and authentication users may or may not be acceptable.