Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinefalse
typelist
printablefalse

Description

According to the RFC 6749 an application (client) owns the credentials and uses them to get an access token from the Authorization Server.

...

The response contains an access token, its type and expiration. Refresh token should shall not be included even if a refresh token table is configured for the client.

There are two main use cases for Client Credentials Grant in SSO:

  • Single application use case: token grants access to the application itself;

  • Authorized access use case: token grants access to a number of server applications according to the service user rights (group membership, authentication method allowed for service user account)and requested scope.

Single application use case

Description

In a single application use case a token grants access to only application itself. There is no authorization for this case.

...

Configuration

Prerequisites:

  1. Site Example, OAuth 2.0 application Client1 and group Group1 exist in SSO.

  2. Application Client1 has client_credentials grant type in its metadata:

    Code Block
    languagejson
    ...
     "grant_types": [
        "client_credentials"
      ]
    ...

The following steps are required to configure single application access:

1. Create and enable ClientCredentialsMethod authentication method as described in OAuth 2.0 Client Credentials Grant authentication method - SSO

  1. Add ClientCredentialsMethod method to site Example.

  2. Allow ClientCredentialsMethod method for application Client1

  3. Allow ClientCredentialsMethod method for group Group1.

  4. Allow Group1 to access application Client1.

Now it is possible to get the token with Client1 application credentials. Refer to Client authentication - SSO for more authentication options:

Code Block
POST {{baseUrl}}/uas/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=oidc&client_id=Client1&client_secret=secret

Authorized access use case

Description

In authorized access use case .

...

a token issued with client credentials of one application (Client1) can grant access to other applications (Server1ServerN). Authorization is based on access rights of impersonated user (User1).

For example Client1 could be a command line script, Server1 is SSO Management API and Server2 is CustomerID API.e

The configuration with two server applications shown below.

Gliffy
imageAttachmentIdatt9146531884
macroId0187f6c2-10cf-4e56-8eea-a9b7e1d56308
baseUrlhttps://ubisecuredev.atlassian.net/wiki
nameSSO OAuth 2.0 Client Credentials Grant authorized access to multiple applications
diagramAttachmentIdatt9146564649
containerId9138405377
timestamp1696925089224

The Client application is impersonating a User1 which is a member of 3 groups. Each of these groups has access to the respective application that should be accessible with Client1 application’s client credentials. Authorization policies that can be configured for server applications are omitted from the configuration example as it is not mandatory.

Configuration

Client Credentials Grant can be configured either with SSO Management UI or SSO Management API - SSO. This instruction covers the UI. Refer to Configuring impersonation with Management API - SSO for API instructions.Prerequisite: site “Example”, application “Client1” and group “Group1” exist in SSO

Prerequisites:

  1. Exist in SSO:

    1. Site Example;

    2. OAuth 2.0 applications: Client1, Server1, Server2;

    3. Groups: ClientGroup, Group1, Group2;

    4. User account User1

  2. Application Client1 has client_credentials grant type and client IDs of server applications in its metadata (other scopes are also allowed, e.g. openid):

Code Block
languagejson
...
 "grant_types": [
    "client_credentials"
  ],
  "scope": "Server1 Server2"
...
  1. Server applications do not have any grant types or scopes:

    Code Block
    languagejson
    ...
     "grant_types": [],
     "scope": ""
    ...

The following steps are required to configure multiple applications access:1.

  1. Create and enable authentication method ClientCredentialsMethod as described in OAuth 2.0 Client Credentials Grant authentication method - SSO

  2. Add ClientCredentialsMethod method to site Example.

  3. Allow ClientCredentialsMethod method for applications: Client1, Server1 and Server2.

  4. Allow ClientGroup to access Client1 application.

  5. Allow Group1 to access application Server1.

  6. Allow Group2 to access application Server2.

  7. Allow ClientCredentialsMethod method for user account User1.

  8. Make User1 a member of ClientGroup, Group1 and Group2.

  9. Add Client1 application to the list of applications impersonating an account User1.

...

Now it is possible to get the token for Server1 or Server2 with Client1 application credentials. Scope defines the intended audience for the access token and may also include openid:

Code Block
languagenone
POST {{baseUrl}}/uas/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=Server2&client_id=Client1&client_secret=secret

Then the token can be introspected by the authorized Server2 application:

Code Block
languagenone
POST {{baseUrl}}/uas/oauth2/introspection
Authorization: Basic Server2 secret
Content-Type: application/x-www-form-urlencoded

token={{accessToken}}
Expand
titleIntrospection response example
Code Block
languagejson
{
  "usn": "Client1",
  "iss": "https://localhost:8443/uas",
  "aud": [
    "Server2"
  ],
  "exp": 1696336474,
  "iat": 1696332874,
  "auth_time": 1696332874,
  "amr": [
    "https://localhost:8443/uas/saml2/names/ac/client.credentials.1"
  ],
  "azp": "Server2",
  "session_index": "_2d4a2d858137b04ca0154aac6a651988a5b63089",
  "client.credentials.1.grant_type": [
    "client_credentials"
  ],
  "client.credentials.1.issuer_dn": [
    "cn=Client1,ou=Example,cn=Ubilogin,dc=test"
  ],
  "client.credentials.1.issuer": [
    "Client1"
  ],
  "client.credentials.1.dn": [
    "cn=User1,ou=Example,cn=Ubilogin,dc=test"
  ],
  "client.credentials.1.ldap": [
    "ldap:///cn=Ubilogin,dc=test"
  ],
  "token_type": "access_token",
  "active": true,
  "client_id": "Client1",
  "expires_in": 3596
}

Also user information can be obtained using the received token:

Code Block
POST {{baseUrl}}/uas/oauth2/userinfo
Authorization: Bearer {{accessToken}}
Expand
titleUser info response example
Code Block
languagejson
{
  "usn": "Client1",
  "iss": "https://localhost:8443/uas",
  "aud": [
    "Server2",
    "Client1"
  ],
  "exp": 1696336474,
  "iat": 1696333379,
  "auth_time": 1696332874,
  "amr": [
    "https://localhost:8443/uas/saml2/names/ac/client.credentials.1"
  ],
  "azp": "Client1",
  "session_index": "_236ae5a56862435c4f19e6d6b55d90ae97e79df4",
  "client.credentials.1.grant_type": [
    "client_credentials"
  ],
  "client.credentials.1.issuer_dn": [
    "cn=Client1,ou=Example,cn=Ubilogin,dc=test"
  ],
  "client.credentials.1.issuer": [
    "Client1"
  ],
  "client.credentials.1.dn": [
    "cn=User1,ou=Example,cn=Ubilogin,dc=test"
  ],
  "client.credentials.1.ldap": [
    "ldap:///cn=Ubilogin,dc=test"
  ]
}

Security risk and mitigation

Client Impersonating Resource Owner

As described in OAuth 2.0 Security Best Current Practice there is a risk of mixing client and resource owner identity since SSO

...

Enable the created method

Management

TBD API calls

...

allows clients to choose its own client_id during registration:

Resource servers may make access control decisions based on the identity of a resource owner for which an access token was issued, or based on the identity of a client in the client credentials grant. If both options are possible, depending on the details of the implementation, a client's identity may be mistaken for the identity of a resource owner. For example, if a client is able to choose its own client_id during registration with the authorization server, a malicious client may set it to a value identifying an end-user (e.g., a sub value if OpenID Connect is used). If the resource server cannot properly distinguish between access tokens issued to clients and access tokens issued to end-users, the client may then be able to access resource of the end-user.

Risk mitigation

Only one grant type client_credentials must be configured in client’s application metadata grant_types. There are no grant_types configured for server applications (authorized access use case).

Server application scopes should be defined in the client application’s metadata. Avoid empty scope metadata field since it will allow all audiences.

Authorized Access configuration case must be used with caution. Avoid complicated configurations. Design access controls so that unintentional impersonation is not possible. This could happen if, on the server application, there are other methods enabled in addition to the client credentials method which is often the case with other authentication methods scenarios in SSO.