Merge branch 'master' into pavinduLakshan-patch-16

pavinduLakshan · web-flow · commit 273a7da9e837 · 2026-05-28T20:29:46.000+05:30
diff --git a/en/asgardeo/docs/apis/organization-apis/restapis/authenticators.yaml b/en/asgardeo/docs/apis/organization-apis/restapis/authenticators.yaml
@@ -491,6 +491,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
         - properties
@@ -502,6 +526,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/asgardeo/docs/apis/organization-apis/restapis/idp.yaml b/en/asgardeo/docs/apis/organization-apis/restapis/idp.yaml
@@ -2325,6 +2325,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -2335,6 +2359,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/asgardeo/docs/apis/restapis/authenticators.yaml b/en/asgardeo/docs/apis/restapis/authenticators.yaml
@@ -489,6 +489,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
         - properties
@@ -500,6 +524,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/asgardeo/docs/apis/restapis/idp.yaml b/en/asgardeo/docs/apis/restapis/idp.yaml
@@ -2669,6 +2669,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -2679,6 +2703,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/identity-server/7.3.0/docs/deploy/token-persistence.md b/en/identity-server/7.3.0/docs/deploy/token-persistence.md
@@ -85,7 +85,7 @@ In large-scale WSO2 Identity Server deployments, especially with millions of use
   - **Opaque token generation** will continue to work as expected for applications configured to use opaque tokens.
   - Applications configured for **JWT access token type** will be switched to **non-persistent access token mode**, meaning JWT access tokens will no longer be stored in the database.
 - In the case of persistent token storage, if an active access token already exists during the token generation flow, the existing token will be marked as inactive. However, in the non-persistent mode, multiple active tokens can exist, as the authorization server does not store the access tokens.
-- **Token binding**, **Retrieving authorized apps for user**,**Rich Authorization Details**,  and **OIDC Request Object** features are currently not supported in **non-persistent access token mode**.
+- **Retrieving authorized apps for user**, **Rich Authorization Details**, and **OIDC Request Object** features are currently not supported in **non-persistent access token mode**.
 - Actions like revoking issued access tokens when re-submitting an authorization code and revoking all issued access tokens when revoking refresh tokens are also not supported, because the Identity Server does not store access tokens in this mode.
 - In non-persistent mode, the cleanup deletes the selected entries; they are not moved to an audit table as in the persistent case.
 
diff --git a/en/identity-server/next/docs/apis/organization-apis/restapis/authenticators.yaml b/en/identity-server/next/docs/apis/organization-apis/restapis/authenticators.yaml
@@ -494,6 +494,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
         - properties
@@ -505,6 +529,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/identity-server/next/docs/apis/organization-apis/restapis/idp.yaml b/en/identity-server/next/docs/apis/organization-apis/restapis/idp.yaml
@@ -2350,6 +2350,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -2360,6 +2384,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/identity-server/next/docs/apis/restapis/authenticators.yaml b/en/identity-server/next/docs/apis/restapis/authenticators.yaml
@@ -493,6 +493,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
         - properties
@@ -504,6 +528,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/identity-server/next/docs/apis/restapis/configs.yaml b/en/identity-server/next/docs/apis/restapis/configs.yaml
@@ -1541,6 +1541,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/identity-server/next/docs/apis/restapis/idp.yaml b/en/identity-server/next/docs/apis/restapis/idp.yaml
@@ -3315,6 +3315,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -3325,6 +3349,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md b/en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md
@@ -81,6 +81,10 @@ Your external web service should do the following to integrate as a custom authe
     - Basic Authentication: Use HTTP Basic authentication to secure the endpoint.
     - OAuth 2.0 Bearer Tokens: Use OAuth 2.0 for token-based authentication.
     - API Key Header: Secure the endpoint using an API key sent in the request header.
+    {% if (product_name == "WSO2 Identity Server" and is_version > "7.3.0") or product_name == "Asgardeo" %}
+    - OAuth 2.0 Client Credentials Grant: {{product_name}} obtains an access token from your authorization server using the OAuth 2.0 client credentials grant and uses it to call the endpoint.
+    - OAuth 2.0 Password Grant: {{product_name}} obtains an access token from your authorization server using the OAuth 2.0 resource owner password credentials grant and uses it to call the endpoint.
+    {% endif %}
 
     !!! tip
         During the development phase, you may choose to invoke your external service without security for testing purposes. Always secure your service before deploying it in a production environment.
@@ -112,6 +116,10 @@ Follow the steps below to configure a custom authenticator.
         - Basic - Provide a username and password.
         - Bearer - Provide a bearer token.
         - API Key - Provide the header name and the value.
+        {% if (product_name == "WSO2 Identity Server" and is_version > "7.3.0") or product_name == "Asgardeo" %}
+        - OAuth 2.0 Client Credentials - Provide the token endpoint, client ID, client secret, and optionally a space-separated list of scopes. {{product_name}} retrieves a fresh access token from the configured token endpoint using the OAuth 2.0 client credentials grant and uses it as a bearer token when invoking the custom authenticator endpoint.
+        - OAuth 2.0 Password Grant - Provide the token endpoint, client ID, client secret, username, password, and optionally a space-separated list of scopes. {{product_name}} retrieves a fresh access token from the configured token endpoint using the OAuth 2.0 resource owner password credentials grant and uses it as a bearer token when invoking the custom authenticator endpoint.
+        {% endif %}
         - No Authentication - No authentication (recommended only for testing purposes).
 
 6. If you select **External (Federated) User Authentication**, configure [JIT-User Provisioning]({{base_path}}/guides/authentication/jit-user-provisioning) according to your requirements. Additionally, review and set up [role assignments for user groups]({{base_path}}/guides/users/manage-roles/#assign-external-groups-to-a-role) to ensure seamless integration.
