skip to Main Content

I’ve an API, and I want this API to be used for only authorized clients (just like my web app, application etc.)

There won’t be any user. I want to use onyl client_id & client_secret to authorize my apps and create bearer token to use on every request.

I’ve created a new client on oauth_clients.
And tried to use its own client_id and client_secret in /oauth/token method.

But it returns "Client authentication failed" error.

I’m using that body:

{
  grant_type: "authorization_code",
  client_id: "blabla",
  client_secret: "blabla
}

How can I get my bearer token with only client_secret & client_id without defining any other users?

2

Answers


  1. I think it’s impossible to authenticate client without some more parameters. I had the same problem on project few months ago, and I had to add authorization_code and redirect_uri parameters. After that, I got the both – access and refresh token. Maybe, this link is helpful:

    Login or Signup to reply.
  2. One common mistake that developers make is trying to use the authorization code grant type to authenticate clients that don’t have a user interface or user authentication, such as machine-to-machine (M2M) clients.

    Check my answer: Which OAuth 2.0 grant should I use?

    You need client credentials grant type. This grant type allows confidential clients (i.e., clients that can keep a client secret) to obtain an access token using only their client ID and client secret.

    $response = $http->post('http://your-app.com/oauth/token', [
        'form_params' => [
            'grant_type' => 'client_credentials',
            'client_id' => 'your-client-id',
            'client_secret' => 'your-client-secret',
            'scope' => '',
        ],
    ]);
    
    $access_token = json_decode((string) $response->getBody(), true)['access_token'];
    

    Visual Learner?

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search