This type of flow is used for server-to-server communication. It does not require any user interaction and only requires the client credentials such as client ID and client secret to get the access token:
- Client sends the client credentials, namely client ID and client secret, to the authorization server.
- Authorization verifies and returns the access token.
- Client then passes the access token to the resource server to access the API.
Client credentials should not be used with the JavaScript or native mobile applications as, with these, both the client ID and client secret residing on the client side itself can easily be forged. In server-to-server communication, we can store the client ID and client secret on some safe storage and they can only be accessible by the application running on the server.