Skip to content

OAuth 2.0 Client Credentials Flow

⚠️ UNDER DEVELOPMENT: This feature is under development and not ready for production use. Please use only for testing.

Please note that the base address for this api is the Momentum Login service.

This authorization flow uses the Client Credentials grant type (see RFC 6749 for details) and can be used to sign in as the application itself to perform background work on behalf of the application rather than on request for an end-user, without requiring interaction with the end user.

This flow can only be used by confidential clients that is able to store secrets privately, such as a web server or service running on a trusted server. It must not be used by public clients such as SPA or PWA-applications running on client devices.

Register the Application

The application needs to be pre-registered i Momentum Fastighet to obtain the client_id of your application. This feature cannot be used by applications classified as public since that class of applications cannot store credentials privately.

Request an Access Token

IMPORTANT: Review the Security Considerations before using these API:s.

Request

Example

Please note that the base address for this api is the Momentum Login security service.

POST /api/auth/oauth2/token

grant_type=client_credentials&client_id=eap-30650-2&client_secret=4HUBHnqLTnZFw34tmsvmmu8v7hx2mg7vEij6bZEJuvw=&resource=https://pm.momentum.se/{tenant}/api

Parameters

Name Description
grant_type Required
Use client_credentials
client_* Required
The client must authenticate which requires additional parameters to be included with the request. Please see OAuth Client Authentication.
resource Optional
The uri or client_id of the target application the issued token is to be sent to.

Response

Example

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWI...",
    "token_type": "Bearer",
    "expires_in": 3600
}

IMPORTANT: Review the Security Considerations before using these API:s.

The access_token may be JWT, but should be treated as opaque to the client.

This endpoint does not return errors as definied by the Momentum Fastighet API, instead it follows RFC7521.

Example:

{
    "error":"invalid_grant",
    "error_description":"Audience validation failed"
}

Note that the error_description is not intendent to be displayed to the end user.