OAuth 2.0 - Client Credentials - Support additional fields for token requests

[philippsteinberg]

Hi,

the current implementation of the client credential flow is unfortunately not working with auth0.
Instead of the scope parameter, they use an audience field to specify for which api the token should be generated
https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow/call-your-api-using-the-client-credentials-flow

I know that it does not make sense to add a new field for every implementation that differs from the standard but maybe an option to add new fields to the request via defining key and value would be flexible enough to solve this and other special requierments.

BR
Philipp

[mjschlosser8]

I'm having this same issue. I need the Audience field to authenticate successfully using client credentials for Oauth2.0.

[BoasHoeven]

Having the same issue current auth solution is insuffient. Keeps me from switching over 100% to Bruno.

[pietrygamat]

I can see 3 ways of approaching it:

1. Minimal: something similar to Oauth2: auth url with required pre-exisiting parameters #1683 but for token url. User may provide any additional parameters directly in query component of token url, and bruno should not discard them - it may even work right now, not sure :D.
2. Postman/Insomnia way: where we hardcode additional fields for orign/audience/resource and any other 'almost' stanard fields. Requires updating the UI, maybe adding Advanced tab as other clients do it. Also - it changes schema for authOAuth2.
3. Full control - user can configure any number of custom parameters and/or headers used in token request. This would require updating UI and schema, but also the bruToJson grammar, because something like this is not allowed:

auth:oauth2 {
  grant_type: authorization_code
  callback_url: {{callback}}
  authorization_url: {{auth_url}}
  access_token_url: {{token_url}}
  client_id: {{client_id}}
  client_secret: 
  scope: openapi
  pkce: true
  customHeaders {
    header1: value
    origin: {{origin}}
  }
  customParams {
    param1: value
    audience: {{audience}}
  }
}

but the whole grammar shennanigans confuse me.

@helloanoop , do you have any thoughts, which approach is worth pursuing?

[rafeanders]

I'm just using one of the auth solutions in the scriptmania thread, and it's working great.
It uses the client_credentials flow, and I just modified it to add the audience to the post request. I had to do a a few other tweaks since it was a bit dated.
I can share my solution if you would like.

[BoasHoeven]

Hi is there any progress on this? Would be nice to have this integrated so the auth flow works.

[blackthornedk]

When requesting OAuth2 in 'client credentials' we need to include the 'Audience' parameter. Although 'Scope' is supported, it's not possible to send 'Audience'. I managed to create a workaround, where I have a specific endpoint for getting the access token, and storing it as an environment variable, but it would be better to have it directly supported in the Auth section.

[nmartin-RatedPower]

Sam problem here, that filed will be added? 👍

[MazrimT]

Same, for example many of apis where auth is implemented by microsoft they require some extra keys in either the body or the header. very often something called a "resource". Sorry to compare :) but postman has an extra section for this specific thing, I think this would be the easiest implementation.

[javiersoriano]

Same issue trying to authenticate with Box, which requires a couple of parameters to be sent with the token request.

This is how they do it in Postman:

[rolighed]

Also still waiting for the possibility of an Audience parameter. :(