Monday, November 25, 2024

OIC - when to use client credential flow vs Authorization code flow

In OpenID Connect (OIDC), the choice between the Client Credentials and Authorization Code flows depends on the type of application and the use case. Here's a breakdown of when to use each:

Client Credentials Flow - When to Use:

  • The application is a server-to-server application (e.g., backend service or API).
  • No user interaction is required.
  • The application needs to authenticate itself to access resources or APIs on behalf of itself, not a user.

Examples:

  • Machine-to-machine API calls.
  • Backend microservices communicating with each other.

Key Characteristics:

Only the client_id and client_secret are used to obtain an access token.

No user context is involved.

Authorization Code Flow - When to Use:

  • The application requires user interaction and wants to access user-protected resources.
  • Typically used by web applications and native applications that act on behalf of the user.
  • The application needs a high level of security, such as obtaining a refresh token or delegating user-specific actions.

Key Characteristics:

  • Involves a user logging in and consenting to the application accessing their data.
  • Includes a code exchange process where the application gets an authorization code and exchanges it for an access token.
  • Ensures sensitive information (e.g., client_secret) isn't exposed in the browser.

Summary of Use Cases

If your application involves users logging in and granting permissions, go with the Authorization Code flow. 

If it's just a backend system communicating with another system, the Client Credentials flow is the right choice.


Example of security policy: Oauth Client credential added to OIC connection:

Connextion name: Conn_REST_<target>_TriggerInvoke_OAuth





No comments:

Post a Comment

Featured Post

OIC - "Dynamically Configuring Relative URLs for REST API Invocations in Oracle Integration Cloud" | Dynamically invoke local integration

Use Case: In Oracle Integration Cloud (OIC), there is often a need to dynamically determine the Relative URI while invoking REST APIs. This ...