OAuth Client Credentials Flow


4me’s support for OAuth 2.0 has been extended to allow developers to build applications that need to interact with 4me, but which should not ask a 4me user for permission to use his or her 4me access rights.  Such applications may, for example, require 4me access to maintain records in the CMDB, or to generate and update requests for actionable events.  These kind of machine-to-machine (M2M) interactions can now be secured using 4me’s support for the OAuth 2.0 Client Credentials flow.

Administrators can find the option for this in the ‘Applications’ section of the Settings console.  There, applications can be registered that need to interact with 4me.  These applications were already able to make use of the OAuth 2.0 Authorization Code flow where humans need to grant the applications some of the access they have to 4me.  Now applications that do not rely on someone’s 4me access can also be registered.  For such applications, the new ‘Allow OAuth Client Credentials flow’ option can be checked.

Register new application in 4me with  OAuth Client Credentials flow

When this new option is checked, the application follows the steps below to interact securely with 4me using the limited access rights defined for the application in 4me.

4me OAuth v2 Client Credentials diagram

More information about the OAuth 2.0 Client Credentials flow can be found on the 4me Developer website.