OAuth 2.0 Client Credentials rule
Verified Providers
SnapLogic verified the following Authentication providers for this rule:
This rule might work with authentication providers, but they haven't been tested and verified.
Known limitation
We don't support Azure AD for the OAuth 2.0 Client Credentials rule because Azure AD doesn't provide an introspection endpoint.
Workaround: Use JWT credentials with the XDeveloperHub Portal rule to authenticate with Azure AD.
Rule requirements
The Oauth2 authentication server must be configured to accept the client ID/secret from the basic auth header during introspection.
OAuth 2.0 Framework for Client Credentials Grant Type
The OAuth 2.0 Client Credentials grant flow is a way for an application (the client) to directly request an access token from an authorization server without involving a user. This flow is suitable for scenarios where the client application needs to access its own resources or when user authentication is not necessary.
The OAuth 2.0 Client Credentials rule lets a client app access other services securely, without needing to know or store any user passwords in SnapLogic's OAuth2 environment to authenticate using its client ID and client secret. The client requests an access token from the authorization server, which it can then use to access protected resources on its own behalf. The authorization server provides a token introspection endpoint to validate the access token as an additional layer of security to the Client Credential OAuth2 framework.
- Client: The client is an application that is requesting access to resources on another web service. The client authenticates itself using its own credentials (client ID and client secret).
- Authorization Server: The authorization server authenticates the user's identity and issues access tokens to the application once authorization is granted.
- Client Registration: The application is registered with the Identity Provider such as Ping Identity, Okta, Auth0, which issues Client ID, Client Secret, and Token Introspection Endpoint. Client ID and Client Secret are used to authenticate the application to Identity Provider.
- Rule Configuration: Configuration of the rule for the API endpoint with Client ID, Client Secret, and Token Introspection Endpoint.
- Token Request: When the application needs to access the API endpoint, it sends a request to the Identity Providers token endpoint, including its client ID, client secret.
- Token Issuance: Identity Provider validates the application's credentials and, if they are correct, issues an access token to the application. This access token represents the authorization on behalf of the application to access the API endpoint.
- Resource Access: The application can now use the access token to access the API endpoint. The application includes the access token in the Authorization header or query of its API requests as configured in the Client Credentials OAuth2 rule.
- The access token is made available in the expression scope
$tokenin the rule wizard. - Access tokens are typically short-lived and expire after a certain period.
- The authorization server can revoke the access token for security reasons before it expires.
Rule execution order
The OAuth 2.0 Client Credential rule executes after early-stage request validation policies, like IP Restriction.
All expression enabled fields take expressions from the SnapLogic Expression Language and the API rule Catalogue functions.
| Field | Description |
|---|---|
| When this rule should be applied | An expression that defines one or more conditions that must be
true for the rule to execute.
Example: The expression |
| Introspection Endpoint | Required. The mechanism for client servers to obtain
information about the access token. The response from this token introspection
endpoint will be stored in $response and can be referenced in User ID
Expression and Roles Expression. Example: https://auth.pingone.com/2f6b6ab3-1fa7-4a7d-ba4d-00dbebd6d056/as/introspect |
| Client ID |
Required. The ID of the application registered with the OAuth2 provider. Example: [email protected] |
| Client Secret |
Required. The client secret for the application registered with the OAuth2 provider. You can also reference a secret from a 3rd-party Secrets Manager vendor by entering an expression. Example: chocolatE |
| Extract into $token |
Required. The names of the headers that can contain the key. If more than one header is given, they will all be checked. Click + to add more custom header keys. |
| Custom Header Keys |
The names of the headers that can contain the key. If more than one header is given, they will all be checked. Click + to add more custom header keys.Example: X-API-Key |
| Custom Query String Parameter | The names of the query parameters that can contain the key. If more than one
name is given, they will all be checked. Click + to add more custom query string
parameters. Example: access_token |
| Authorization Type | If the key is in the Authorization header, this value is
used as the “type” to check. Default value: Token Example: Key |
| Extract User Info |
Required. Specifies how to extract information about the user from the working object. |
| User ID Expression |
Required. An expression that returns a string to be used as the user ID. Example: $response.email |
| Roles Expression |
Required. An expression that returns the list of roles this user is in. Example: $response.groups.map(group => group.name) |
| Time-To-Live in Seconds |
Required. The number of seconds the token is valid for before it is re-validated. Default value: 600 (10 minutes) Example: 700 |
| Description |
This rule to authenticate users with a token in your OAuth 2.0 environment. Default value: Authenticating requests using specified OAuth service |