Machine-to-Machine Application

A Machine-to-Machine Application allows for a secure, authorised communication channel between different autonomous systems. This is possible by means of OAuth 2.0 client credentials grant flow.

Typical authentication schemes like username and password, social logins, federated identity, don't make sense when trying to connect autonomous system (ie. two backend services from different companies). On these typical schemes the authorisation attempts to establish trust by authorising a user, but in machine to machine communications what needs to be authorised and trusted is the client (application / process, etc).

On OAuth 2.0 client credentials grant flow the client holds two part of the information: the client id and the client secret, and with these it can request an access token to a specific resource server (audience).

1. Using the client id, client secret and audience the client requests for an access token to the authorisation server.
2. The request is validated by the authorisation server. If successful, an access token is returned.
3. With the provided access token the client can access the protected resources of resource server.

The client credentials grant flow is only meant to be used in trusted clients, since the client must always hold the client secret. This means that it must only be used where there is no risk for that client secret to be leaked / misused (eg. using it to make request on a web application).

Set up

The guides below demonstrates how to integrate your Machine-to-Machine Application with the Identity Product, on our development, testing, staging and production environments.

To get started Identity Product will provide, per environment:

• IdP Domain (issuerBaseURL)
• Client ID
• Client Secret
• Audience

Getting an access token

You can execute a client credentials exchange to get an access token for the audience. Here is an example using CURL:

Request

curl --request POST \\
--url https://\${IDP_DOMAIN}/oauth/token \\
--header 'content-type: application/json' \\
--data '{"client_id":\${CLIENT_ID},"client_secret":\${CLIENT_SECRET},"audience":\${RESOURCE_SERVER},"grant_type":"

Response

{
  "access_token": __ACCESS_TOKEN__,
  "token_type": "Bearer"
}

That's it!

The client is now able to make authorised calls to the resource server.

Testing the integration

You can use this bearer token with an Authorization Header in your request to obtain authorized access to your API.

curl --request GET \\
--url http://\${IAGL_API}/\${IAGL_RESOURCE} \\
--header 'authorization: Bearer __ACCESS_TOKEN__'