Client Credential Flow

This Connector allows support for Client Credential Flow authorization between Fusebit Integrations and supporting services. This Connector is commonly used to support authorization with your backend, rather than with a third party backend.

Because a client credential flow is a different flow than web-based OAuth flows like the authorization code flow, many of the configuration elements that are usually used are not relevant. The Client Credential Flow Connector allows collecting a unique OAuth client_id and client_secret for every Session it is part of. This enables your app to obtain a different set of OAuth credentials for every user or tenant of your app.

Making use of the Client Credential Flow Connector requires changing the way your backend creates Sessions during the authorization process to supply the necessary client_id and client_secret unique to that Tenant. These credentials are then used by the Connector to perform the necessary token exchange flows.

Getting Started

  1. Use the Fusebit Management Portal to create an account and log in.
  2. Create a new Integration using any one of our templates.
27562756
  1. In the integration view, select the Add New button on the right:
29662966
  1. Enter OAuth into the New Connector Dialog and select the Client Credential Flow option.
  2. Click on the new Client Credential Flow connector and enter the token exchange endpoint for your Client Credential Flow service.
  3. At this point, you will need to modify the code running on your server. Modify the session creation POST to include an input block, similar to the following:
{
  "redirectUrl": "http://example.com/redirect",
  "input": {
    "ccfConnector": {
      "client_id": "AAAA",
      "client_secret": "BBBB"
    }
  }
}

The input block will be consumed by the ccfConnector Connector (or whichever Connector name you declare in the components block of your Integration), and should specify client_id and client_secret specific for the tenant you have created the session for.

📘

Authorization with Client Credential Flows

At this point, the client credential flow will happen as an invisible step for the end user. There will be no configuration screens, prompts, or other indications that the credentials were exchanged for an access token.

Invoking the Client Credential Flow Connector

The credentials created by the Connector are accessible via the same call to getSdkByTenant as credentials from other Connectors:

router.post('/api/tenant/:tenantId/test', integration.middleware.authorizeUser('install:get'), async (ctx) => {
  const ccfCredentials = await integration.tenant.getSdkByTenant(ctx, 'ccfConnector', ctx.params.tenantId);
  const me = await superagent.get('https://www.example.com/me')
    .set('Authorization', `Bearer ${ccfCredentials.accessToken}`);
  ctx.body = me;
});

Did this page help you?