0

I've an API, and I want this API to be used for only authorized clients (just like my web app, application etc.)

There won't be any user. I want to use onyl client_id & client_secret to authorize my apps and create bearer token to use on every request.

I've created a new client on oauth_clients. And tried to use its own client_id and client_secret in /oauth/token method.

But it returns "Client authentication failed" error.

I'm using that body:

{
  grant_type: "authorization_code",
  client_id: "blabla",
  client_secret: "blabla
}

How can I get my bearer token with only client_secret & client_id without defining any other users?

user2396307
  • 165
  • 2
  • 12

2 Answers2

1

One common mistake that developers make is trying to use the authorization code grant type to authenticate clients that don't have a user interface or user authentication, such as machine-to-machine (M2M) clients.

Check my answer: Which OAuth 2.0 grant should I use?

You need client credentials grant type. This grant type allows confidential clients (i.e., clients that can keep a client secret) to obtain an access token using only their client ID and client secret.

$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'client_credentials',
        'client_id' => 'your-client-id',
        'client_secret' => 'your-client-secret',
        'scope' => '',
    ],
]);

$access_token = json_decode((string) $response->getBody(), true)['access_token'];

Visual Learner?

enter image description here

Wahyu Kristianto
  • 8,719
  • 6
  • 43
  • 68
-1

I think it's impossible to authenticate client without some more parameters. I had the same problem on project few months ago, and I had to add authorization_code and redirect_uri parameters. After that, I got the both - access and refresh token. Maybe, this link is helpful:

Andrija Antanaskovic
  • 84
  • 3