I’ve an API, and I want this API to be used for only authorized clients (just like my web app, application etc.)
There won’t be any user. I want to use onyl client_id & client_secret to authorize my apps and create bearer token to use on every request.
I’ve created a new client on oauth_clients.
And tried to use its own client_id and client_secret in /oauth/token method.
But it returns "Client authentication failed" error.
I’m using that body:
{
grant_type: "authorization_code",
client_id: "blabla",
client_secret: "blabla
}
How can I get my bearer token with only client_secret & client_id without defining any other users?
2
Answers
I think it’s impossible to authenticate client without some more parameters. I had the same problem on project few months ago, and I had to add authorization_code and redirect_uri parameters. After that, I got the both – access and refresh token. Maybe, this link is helpful:
One common mistake that developers make is trying to use the authorization code grant type to authenticate clients that don’t have a user interface or user authentication, such as machine-to-machine (M2M) clients.
Check my answer: Which OAuth 2.0 grant should I use?
You need client credentials grant type. This grant type allows confidential clients (i.e., clients that can keep a client secret) to obtain an access token using only their client ID and client secret.
Visual Learner?