Documentation

HTTP API authentication flows

Nomirun SDK contains implementations for Client Credential Flow and ROPC (Resource Owner Password Credentials) for Keycloak, IdentityServer4 and Microsoft Entra ID.

Client Credential Flow and ROPC (Resource Owner Password Credentials) Flow are two different OAuth 2.0 authorization grant types used for authentication and authorization:

  1. Client Credential Flow: This flow is used for machine-to-machine (M2M) communication where a client application requests access to resources directly, without user involvement. It uses the application’s credentials (client ID and client secret) to obtain an access token. It is typically used for backend services or APIs accessing other APIs.
  2. ROPC (Resource Owner Password Credentials) Flow: This flow allows users to directly provide their credentials (username and password) to the client application, which then exchanges these credentials for an access token used to access protected resources. It should be used sparingly as it requires storing user credentials in the client app, which increases security risks. This flow is generally not recommended unless absolutely necessary.

1. Keycloak support

Keycloak support is limited to the client credential or Protection API token (PAT) flow in combination with token exchange. Additionally you can also get the token by using resource owner password credentials grant.

1.1. Client credential flow
var auth = new KeycloakAuthenticator(options =>
{
   options.AddClientCredentialFlowParameters(
         new Uri("https://my.keycloakserver.com/auth/realms/realmX/protocol/openid-connect/token"),
         "my_client",
         "client_secret");
});

var token = await auth.GetAccessToken();
1.2. Exchange token for user token

If you want to replace the PAT token with user token, you can additionally specify a username.

var auth = new KeycloakAuthenticator(options =>
{
   options.AddClientCredentialFlowParameters(
         new Uri("https://my.keycloakserver.com/auth/realms/realmX/protocol/openid-connect/token"),
         "my_client",
         "client_secret");
});

//Get client credentials flow access token
var token = await auth.GetAccessToken();

//Replace client credentials flow token for user access token
var userToken = await auth.ExchangeForUserToken("myuser@email.com");
1.3. Resource owner password credentials grant
var auth = new KeycloakAuthenticator(options =>
{
   options.AddResourceOwnerPasswordCredentialFlowParameters(
         new Uri("https://my.keycloakserver.com/auth/realms/realmX/protocol/openid-connect/token"),
         "my_client",
         "client_secret",
         "user",
         "pass");
});

var token = await auth.GetAccessToken();

2. Identity Server 4 support

Under the hood, it’s the same code that retrieves the client credentials flow access token, but authenticator is explicit for Identity Server 4. Additionally, you can also get the token by using resource owner password.

2.1. Client credential flow
var auth = new IdentityServer4Authenticator(options =>
{
   options.AddClientCredentialFlowParameters(
         new Uri("https://<myserver>/token"),
         "my_client"
         "<client_secret>");
});

var token = await auth.GetAccessToken();
2.2. Resource owner password credentials grant
var auth = new IdentityServer4Authenticator(options =>
{
   options.AddResourceOwnerPasswordCredentialFlowParameters(
         new Uri("https://<myserver>/token"),
         "my_client"
         "<client_secret>",
         "user",
         "pass");
});

var token = await auth.GetAccessToken();

3. Microsoft Entra ID

Under the hood, it’s the same code that retrieves the client credentials flow access token, but the authenticator is explicit for Azure B2C. Additionally, you can also get the token by using resource owner password credentials flow.

Azure B2C client credentials flow needs a defined scope which is usually https://graph.windows.net/.default.

3.1. Client credential flow
var auth = new AzureB2CAuthenticator(options =>
{
options.AddClientCredentialFlowParameters(
new Uri("https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token"),
"<clientId>"
"<clientSecret>"
new string[] { "https://graph.windows.net/.default" });
});

var token = await auth.GetAccessToken();
3.2. Resource owner password credentials grant
var auth = new AzureB2CAuthenticator(options =>
{
   options.AddResourceOwnerPasswordCredentialFlowParameters(
         new Uri("https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token"),
         "<clientId>"
         "<clientSecret>"
         new string[] { "https://graph.windows.net/.default" },
         "user",
         "pass");
});

var token = await auth.GetAccessToken();

2025 Nomirun©