Hi Team ,
We are building a custom app that uses OAuth authentication .
Is it possible to make this OAuth authentication from server to server using client credentials instead of redirecting to new page where the user login using username and password .
we tried passing grant_type : client_credentials in OAuth.configs also.
Any suggestions here would be really helpful.
Can you try using
"token_type": "account" in
config/oauth_config.json? This will ask for authorization when the app is installed, as opposed to an agent using it. You can then use OAuth in Request Method in serverless functions and serverless event handlers.
You can look at this OAuth sample app.
Hi @kaustavdm - both account and agent token_type are performing a front channel authentication, it seems to be using the authorization code grant type by default. The custom app opens the authorize_url in a browser when the user tries to install the app or authorize it.
But we are looking for a back-channel authentication using the Client Credentials grant type for the server-to-server authentication process. The customer has shared the client_id and client_secret for this Client Credentials grant type, and there is no username/password associated with it.
We want to understand how we can do the back channel authentication using the client credentials grant type flow by using the platform OAuth feature.
@kaustavdm - appreciate an update on this.
I don’t think that’s possible to do today. I might be wrong. @Raviraj, can you confirm?
We don’t support any grant type other than Authorization Code today.
Since this is a custom app, if you are up for handling the token refresh on your own, you could explore the following option -
- Use a custom installation page for your app and perform the credential exchange for a token in the installation page itself (happens in the context of an admin, so should be OK security-wise).
- Save the tokens as secure installation parameters when the app is installed.
- Refer to the tokens for requests you make - either for accessing API resources or for refreshing an expired token.
We will update our documentation to make it explicit what grant type we support today.