Client credentials grant flow: Basic auth or client_id and client_secret in the body?
-
Hey y'all,
I've read from the Client Credentials docs that theAuthorizationis required (with basic auth of Client ID and Client Secret), but we (randomly, migrating from Auth0) discovered that also sending those credentials (ID and Secret) in the body, without anyAuthorizationheader, just works fine.What's the point of that? Is the "Basic Auth" the recommended option to-go and in the future the support of credentials in the body will be removed?
-
Hi @Theraloss,
I am not sure if this is a bug or not. I can try and get some clarity around it and post back what I discover. I was able to replicate the behavior on my local as well.
Thanks,
Josh -
The client credentials grant was added quite recently as part of the Entities feature (as you may be aware). Looks like the same endpoint
POST /oauth2/tokenis referenced in related doc to indicate that a client id and client secret can be used as a supplement or alternative to the basic auth. Please see below:
https://fusionauth.io/docs/v1/tech/oauth/endpoints/#token
Per this documentation, this is a known configuration.
I have created a PR to update our documentation.
https://github.com/FusionAuth/fusionauth-site/pull/859
You can track the PR until it merges, but I believe that it is reasonably safe to assume you will be able to continue to access the client credentials grant in this manner.
Thanks for the heads up!
Thanks,
Josh -
Hi Joshua,
thank you for the updates!
