• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Client credentials grant flow: Basic auth or client_id and client_secret in the body?

Scheduled Pinned Locked Moved
General Discussion
0
4
2.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    Theraloss
    last edited by 30 Jul 2021, 08:31

    Hey y'all,
    I've read from the Client Credentials docs that the Authorization is required (with basic auth of Client ID and Client Secret), but we (randomly, migrating from Auth0) discovered that also sending those credentials (ID and Secret) in the body, without any Authorization header, just works fine.

    What's the point of that? Is the "Basic Auth" the recommended option to-go and in the future the support of credentials in the body will be removed?

    1 Reply Last reply Reply Quote 0
    • J
      joshua
      last edited by joshua 8 Mar 2021, 19:55 3 Aug 2021, 19:28

      Hi @Theraloss,

      I am not sure if this is a bug or not. I can try and get some clarity around it and post back what I discover. I was able to replicate the behavior on my local as well.

      Thanks,
      Josh

      1 Reply Last reply Reply Quote 0
      • J
        joshua
        last edited by 4 Aug 2021, 00:32

        The client credentials grant was added quite recently as part of the Entities feature (as you may be aware). Looks like the same endpoint

        POST /oauth2/token
        

        is referenced in related doc to indicate that a client id and client secret can be used as a supplement or alternative to the basic auth. Please see below:

        https://fusionauth.io/docs/v1/tech/oauth/endpoints/#token

        Per this documentation, this is a known configuration.

        Screen Shot 2021-08-03 at 6.17.12 PM.png

        I have created a PR to update our documentation.

        https://github.com/FusionAuth/fusionauth-site/pull/859

        You can track the PR until it merges, but I believe that it is reasonably safe to assume you will be able to continue to access the client credentials grant in this manner.

        Thanks for the heads up!

        Thanks,
        Josh

        1 Reply Last reply Reply Quote 0
        • T
          Theraloss
          last edited by 4 Aug 2021, 12:32

          Hi Joshua,
          thank you for the updates!

          1 Reply Last reply Reply Quote 0
          3 out of 4
          • First post
            3/4
            Last post