OAuth2 Client Credentials Flow#
The client credentials flow lets applications exchange a set of client credentials for an OAuth2 access token.
The client may use client credentials such as API-keys or JWT signature, or a session Bearer token, depending on how it is previously authenticated.
The script should first fetch an access token from the Argus OAuth Token endpoint
curl -XPOST -H"Argus-API-Key: my/api/key" https://api.mnemonic.no/authentication/v1/oauth/token -d client_id=04d45a6b-05a1-4bed-8181-5c5d46d4f64e -d grant_type=client_credentials
Argus will respond with an access token:
{"access_token":"myUserName/ckEgvr23mT8PfPMPddVY7wYuuE6t6YmKLKr7tu3pV8ajvbGHzuJ9crvwoPFUBj9o","id_token":null,"refresh_token":null,"token_type":"Bearer","expires_in":300}
The script should then use this token as an Authorization:Bearer header towards the client application:
curl -XPOST -H"Authorization:Bearer myUserName/ckEgvr23mT8PfPMPddVY7wYuuE6t6YmKLKr7tu3pV8ajvbGHzuJ9crvwoPFUBj9o" https://my.application/dosomething
The client application should invoke the Argus Token Introspection (RFC7662) endpoint to verify the token.
curl -XPOST -H"X-Forwarded-For: 94.127.56.1" https://api.mnemonic.no/authentication/v1/oauth/token -d client_id=04d45a6b-05a1-4bed-8181-5c5d46d4f64e -d client_secret=mySecretPassword -d token=myUserName/ckEgvr23mT8PfPMPddVY7wYuuE6t6YmKLKr7tu3pV8ajvbGHzuJ9crvwoPFUBj9o
The introspection endpoint will verify that the token is issued for this client, and will return the token state, enabled scopes and expiry timestamp:
{
"active": true,
"token_type": "Bearer",
"exp": 1758696924,
"scope": "openid profile",
"username": "myUserName"
}
Tip
Argus also supports clients sending clientID and client secret in a HTTP Basic Authorization header, which should be a base 64-encoded string:
base64(clientid + ":" + clientsecret)
in a header:
Authorization: Basic MDIxMjY5YzUtMDRjMy00Mzk5LWEyMDYtMzI2NTljNDg5ODAzOm15U2VjcmV0UGFzc3dvcmQK
To act on the users behalf, the client application may invoke any Argus endpoint using the access token:
curl -XGET -H"X-Forwarded-For: 94.127.56.1" -H"Authorization:Bearer myUserName/ckEgvr23mT8PfPMPddVY7wYuuE6t6YmKLKr7tu3pV8ajvbGHzuJ9crvwoPFUBj9o" https://api.mnemonic.no/authentication/v1/oauth/userinfo
Warning
The client MUST forward the user agents origin IP using the X-Forwarded-For
header
when invoking an Argus API, as Argus will verify that this IP corresponds
with the IP used to create the access token.