Merge pull request #6163 from UdeshAthukorala/custom-authn

UdeshAthukorala · web-flow · commit 3490801e49a1 · 2026-05-28T14:13:56.000+05:30
Document OAuth2 client credentials and password grant based authentication support for custom authenticators
diff --git a/en/asgardeo/docs/apis/organization-apis/restapis/authenticators.yaml b/en/asgardeo/docs/apis/organization-apis/restapis/authenticators.yaml
@@ -491,6 +491,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
         - properties
@@ -502,6 +526,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/asgardeo/docs/apis/organization-apis/restapis/idp.yaml b/en/asgardeo/docs/apis/organization-apis/restapis/idp.yaml
@@ -2325,6 +2325,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -2335,6 +2359,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/asgardeo/docs/apis/restapis/authenticators.yaml b/en/asgardeo/docs/apis/restapis/authenticators.yaml
@@ -489,6 +489,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
         - properties
@@ -500,6 +524,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/asgardeo/docs/apis/restapis/idp.yaml b/en/asgardeo/docs/apis/restapis/idp.yaml
@@ -2669,6 +2669,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -2679,6 +2703,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/identity-server/next/docs/apis/organization-apis/restapis/authenticators.yaml b/en/identity-server/next/docs/apis/organization-apis/restapis/authenticators.yaml
@@ -494,6 +494,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
         - properties
@@ -505,6 +529,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/identity-server/next/docs/apis/organization-apis/restapis/idp.yaml b/en/identity-server/next/docs/apis/organization-apis/restapis/idp.yaml
@@ -2350,6 +2350,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -2360,6 +2384,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/identity-server/next/docs/apis/restapis/authenticators.yaml b/en/identity-server/next/docs/apis/restapis/authenticators.yaml
@@ -493,6 +493,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
         - properties
@@ -504,6 +528,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/identity-server/next/docs/apis/restapis/configs.yaml b/en/identity-server/next/docs/apis/restapis/configs.yaml
@@ -1541,6 +1541,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/identity-server/next/docs/apis/restapis/idp.yaml b/en/identity-server/next/docs/apis/restapis/idp.yaml
@@ -3315,6 +3315,30 @@ components:
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "auth_username",
+                  "password": "auth_password",
+                  "clientId": "auth_clientId",
+                  "clientSecret": "auth_clientSecret",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -3325,6 +3349,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
diff --git a/en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md b/en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md
@@ -81,6 +81,10 @@ Your external web service should do the following to integrate as a custom authe
     - Basic Authentication: Use HTTP Basic authentication to secure the endpoint.
     - OAuth 2.0 Bearer Tokens: Use OAuth 2.0 for token-based authentication.
     - API Key Header: Secure the endpoint using an API key sent in the request header.
+    {% if (product_name == "WSO2 Identity Server" and is_version > "7.3.0") or product_name == "Asgardeo" %}
+    - OAuth 2.0 Client Credentials Grant: {{product_name}} obtains an access token from your authorization server using the OAuth 2.0 client credentials grant and uses it to call the endpoint.
+    - OAuth 2.0 Password Grant: {{product_name}} obtains an access token from your authorization server using the OAuth 2.0 resource owner password credentials grant and uses it to call the endpoint.
+    {% endif %}
 
     !!! tip
         During the development phase, you may choose to invoke your external service without security for testing purposes. Always secure your service before deploying it in a production environment.
@@ -112,6 +116,10 @@ Follow the steps below to configure a custom authenticator.
         - Basic - Provide a username and password.
         - Bearer - Provide a bearer token.
         - API Key - Provide the header name and the value.
+        {% if (product_name == "WSO2 Identity Server" and is_version > "7.3.0") or product_name == "Asgardeo" %}
+        - OAuth 2.0 Client Credentials - Provide the token endpoint, client ID, client secret, and optionally a space-separated list of scopes. {{product_name}} retrieves a fresh access token from the configured token endpoint using the OAuth 2.0 client credentials grant and uses it as a bearer token when invoking the custom authenticator endpoint.
+        - OAuth 2.0 Password Grant - Provide the token endpoint, client ID, client secret, username, password, and optionally a space-separated list of scopes. {{product_name}} retrieves a fresh access token from the configured token endpoint using the OAuth 2.0 resource owner password credentials grant and uses it as a bearer token when invoking the custom authenticator endpoint.
+        {% endif %}
         - No Authentication - No authentication (recommended only for testing purposes).
 
 6. If you select **External (Federated) User Authentication**, configure [JIT-User Provisioning]({{base_path}}/guides/authentication/jit-user-provisioning) according to your requirements. Additionally, review and set up [role assignments for user groups]({{base_path}}/guides/users/manage-roles/#assign-external-groups-to-a-role) to ensure seamless integration.
