OAuth Client-credentials-flow

Showing results for 
Search instead for 
Do you mean 
Reply
Advisor II
Posts: 59
Registered: ‎12-18-2015
#1 of 5 241

OAuth Client-credentials-flow

Hi, i've read across API manuals, particulatly about OAuth Client Credentials Flow. Would someone explain the concept of using "cliet id" and "client secret" to authenticate and retrive access token, say, to obtain vaulted data, intead of just hard code the passwords itself? it is just seems we are replacing one password with another to get access to stored initial password (e.g. the PS script which is considered in documentation here).

What i am miising ?

Centrify Guru I
Posts: 2,452
Registered: ‎07-26-2012
#2 of 5 233

Re: OAuth Client-credentials-flow

@RomanSilin72495 ,

 

This is a good reference:  https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

 

Please study a on OAUTH2 terminology and mapping to capabilities before getting your hands on this.

 

Super powerful feature set, but very steep learning curve.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Advisor II
Posts: 59
Registered: ‎12-18-2015
#3 of 5 196

Re: OAuth Client-credentials-flow

Hi Robertson,

i've read across the article. and still not clear. They saying  "Because these are essentially equivalent to a username and password, you should not store the secret in plain text, instead only store an encrypted or hashed version, to help reduce the likelihood of the secret leaking.". What is not clear is that in 2019 is there really much difference in storing a secret in plain text or its "encrupted" version? particularly in places like scripts (especially in Windows environment),  where anyone can see it?

Centrify Guru I
Posts: 2,452
Registered: ‎07-26-2012
#4 of 5 173

Re: OAuth Client-credentials-flow

@RomanSilin72495 ,

 

Unfortunately, I can't give you feedback on an article I did not write.

 

What do you want to accomplish?

 

OAUTH2 is an authorization and delegation framework that works best in the context of enforcing least privilege (e.g. delegate down to the API level) so applications only get access to the calls and data that they need.

 

Perhaps if we know what you want to accomplish high level (no implementation details), we can provide you better guidance.  Keep in mind, that if a question is asked and we don't really know the context or what the goal is, makes it different to give the best path forward.

 

R.P

 

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Highlighted
Advisor II
Posts: 59
Registered: ‎12-18-2015
#5 of 5 170

Re: OAuth Client-credentials-flow

Hi, well the case is programatically check-in\out passwords from vault. without user interaction.In simplest use case this should be implemeted as PS script to run as sheduled task on Windows host.

>>OAUTH2 is an authorization and delegation framework that works best in the context of enforcing least privilege (e.g. delegate down to the API level)

and this is also something i am not quite understood. If manage access based on particular API calls, this mean if we grant to some API user a scope to invoke API (say "pull_info_from_vault"), this gives the user full access to everything in the vault, since the API is always the same, we just changing request parameter.