🚀 Feature: Client Credentials flow support #56

New Issue

Closed

opened 2025-10-06 23:59:34 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2025-10-06 23:59:34 +03:00

Owner

Copy Link

Originally created by @savely-krasovsky on GitHub.

Feature description

Client Credentials flow is a very useful flow for m2m integrations. Since #566 is already merged it would be nice to support getting access token using both methods:

1. With a pair of client_id and client_secret.
2. With a federated credential (client_id + client_assertion).

Pitch

Client Credentials flow can be used to programmatically bypass IAPs (Identity-Aware Proxy) such as oauth2-proxy and many others. For example it will allow monitoring products like Uptime Kuma or Gatus to monitor services behind those proxies by providing access token they received from Pocket-ID using client credential flow.

Originally created by @savely-krasovsky on GitHub. ### Feature description [Client Credentials flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) is a very useful flow for m2m integrations. Since #566 is already merged it would be nice to support getting access token using both methods: 1. With a pair of `client_id` and `client_secret`. 2. With a federated credential (`client_id` + `client_assertion`). ### Pitch Client Credentials flow can be used to programmatically bypass IAPs (Identity-Aware Proxy) such as [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) and many others. For example it will allow monitoring products like Uptime Kuma or Gatus to monitor services behind those proxies by providing access token they received from Pocket-ID using client credential flow.

OVERLORD added the needs more upvotes label 2025-10-06 23:59:34 +03:00

OVERLORD closed this issue 2025-10-06 23:59:35 +03:00

OVERLORD commented 2025-10-06 23:59:38 +03:00

Author

Owner

Copy Link

@savely-krasovsky commented on GitHub:

I think @ItalyPaleAle can provide even better examples, as he has more experience with Kubernetes, which can be configured to trust access tokens issued via the client_credentials flow.

@savely-krasovsky commented on GitHub: I think @ItalyPaleAle can provide even better examples, as he has more experience with Kubernetes, which can be configured to trust access tokens issued via the `client_credentials` flow.

OVERLORD commented 2025-10-06 23:59:38 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Could you clarify the use case a bit more? I'm not really sure if I understand it correctly. From my perspective, it sounds like the idea is that one client can request an access token in order to call another client. For example, client A obtaining an access token from Pocket ID to access client B.

What's the advantage of having this over just a simple API key that is provided by the IAP, that allows client A to bypass authentication of client B?

@stonith404 commented on GitHub: Could you clarify the use case a bit more? I'm not really sure if I understand it correctly. From my perspective, it sounds like the idea is that one client can request an access token in order to call another client. For example, client A obtaining an access token from Pocket ID to access client B. What's the advantage of having this over just a simple API key that is provided by the IAP, that allows client A to bypass authentication of client B?

OVERLORD commented 2025-10-06 23:59:39 +03:00

Author

Owner

Copy Link

@savely-krasovsky commented on GitHub:

@stonith404 there are many cases where a service does not provide its own tokens for access, but instead trusts access tokens issued by a trusted IdP (Identity Provider — Pocket-ID in our case). For example, this can be used for service-to-service authentication in a microservice architecture. You create an OIDC client, it contacts the IdP and exchanges the client_id + client_secret (or a client_assertion) for an access_token, and then Service A can call Service B using that token. Service B can easily verify that the token was issued for Service A by the trusted IdP. This removes the need for Service B to implement its own authentication scheme.

In the case of OAuth2 Proxy, it does not have any embedded authentication mechanisms other than OAuth2 JWT access tokens passed as Bearer tokens (see docs: https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview/, --skip-jwt-bearer-tokens flag). Notable projects such as Uptime Kuma and Gatus can use the client_credentials flow to obtain an access token and present it while polling endpoints.

@savely-krasovsky commented on GitHub: @stonith404 there are many cases where a service does not provide its own tokens for access, but instead trusts access tokens issued by a trusted IdP (Identity Provider — Pocket-ID in our case). For example, this can be used for service-to-service authentication in a microservice architecture. You create an OIDC client, it contacts the IdP and exchanges the `client_id` + `client_secret` (or a `client_assertion`) for an `access_token`, and then Service A can call Service B using that token. Service B can easily verify that the token was issued for Service A by the trusted IdP. This removes the need for Service B to implement its own authentication scheme. In the case of OAuth2 Proxy, it does not have any embedded authentication mechanisms other than OAuth2 JWT access tokens passed as Bearer tokens (see docs: https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview/, `--skip-jwt-bearer-tokens` flag). Notable projects such as Uptime Kuma and Gatus can use the client_credentials flow to obtain an access token and present it while polling endpoints.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label needs more upvotes

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#56