Client Credentials Grant Flow having subject with null value, cause internal server error

0
votes

I have a windows service (no user interaction) which makes calls protected services (say for example makes calls to REST / WEB API). I tried to use Client Credentials Flow, but looks like IdentityServer3 does not understand Client Credentials flow. The subject value (supposed to contain ClaimsPrincipal object) is null. Any idea what is the issue here? Does IdentityServer3 supports Client Credentials flow? What is the correct way of using Client Credentials flow with IdentityServer3?

The following is my client code, which eventually gets the response as Internal Server error from IdentityServer3:

 var handler = new WebRequestHandler();
        handler.UseDefaultCredentials = true;

        var client = new TokenClient(
            Constants.TokenEndpoint,
            "client",
            "secret", handler);

        return client.RequestClientCredentialsAsync("read write").Result;
1
oauth-2.0identityserver3

1 Answers

1
votes

IdentityServer 3 does support the Client Credentials OAuth Grant Type (see Flow property on the Client class).

The fault will be a configuration issue, so switch on logging for IdentityServer, it will be telling you why the request is failing.

Correct Flow for Access Token with Subject Claim

To get an access token that can access a protected resource on behalf of a user then a grant type/flow must be used that has knowledge of a user/identity.

Client Credentials is only used for machine-to-machine communication, it has no concept of a user/identity.

Ideally if the user is authenticated (they logged in to the system), you can issue them an access token at time of login. This can be done using any OpenID Connect flow (Implicit, Authorization Code or Hybrid).

If users are not authenticated, you can use the Resource Owner flow. This flow is generally considered legacy and requires the users username and password.