Merge pull request #6139 from UdeshAthukorala/action-oauth2-authentication

UdeshAthukorala · web-flow · commit c3f6f1e4a9ec · 2026-05-14T14:00:02.000+05:30
Document OAuth2 client credentials and password grant based authentication support for actions
diff --git a/en/asgardeo/docs/apis/organization-apis/restapis/actions.yaml b/en/asgardeo/docs/apis/organization-apis/restapis/actions.yaml
@@ -1192,12 +1192,12 @@ components:
       type: object
       description: >
             The type of authentication required by the action's endpoint. The following options are supported:
-            
+
             - NONE: No authentication is required. <br>
               ``{
                 "type": "NONE"
               }``
-              
+
             - BASIC: Basic authentication with a username and password.<br>
               ``{
                 "type": "BASIC",
@@ -1206,7 +1206,7 @@ components:
                   "password": "auth_password"
                 }
               }``
-              
+
             - API_KEY: API key-based authentication, where the key is provided in an HTTP header.<br>
               ``{
                 "type": "API_KEY",
@@ -1215,14 +1215,38 @@ components:
                   "value": "12345-abcde-67890"
                 }
               }``
-            
+
             - BEARER: Bearer token-based authentication.<br/>
               ``{
                 "type": "BEARER",
                 "properties": {
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "3e172dd2-901b-43a9-a26a-728466795f01",
+                  "clientSecret": "83cdc120-ccf6-4163-a4a8-c1ba3e872daa",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "alice",
+                  "password": "p@ssw0rd!",
+                  "clientId": "3e172dd2-901b-43a9-a26a-728466795f01",
+                  "clientSecret": "83cdc120-ccf6-4163-a4a8-c1ba3e872daa",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -1233,6 +1257,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
@@ -1257,8 +1283,18 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           description: Type of the authentication.
           example: BASIC
+        properties:
+          type: object
+          description: Authentication properties (without secrets) specific to the selected type.
+          additionalProperties: true
+      example:
+        type: BASIC
+        properties:
+          username: "auth_username"
 
     ActionUpdateModel:
       type: object
diff --git a/en/asgardeo/docs/apis/restapis/actions.yaml b/en/asgardeo/docs/apis/restapis/actions.yaml
@@ -1456,12 +1456,12 @@ components:
       type: object
       description: >
             The type of authentication required by the action's endpoint. The following options are supported:
-            
+
             - NONE: No authentication is required. <br>
               ``{
                 "type": "NONE"
               }``
-              
+
             - BASIC: Basic authentication with a username and password.<br>
               ``{
                 "type": "BASIC",
@@ -1470,7 +1470,7 @@ components:
                   "password": "auth_password"
                 }
               }``
-              
+
             - API_KEY: API key-based authentication, where the key is provided in an HTTP header.<br>
               ``{
                 "type": "API_KEY",
@@ -1479,14 +1479,38 @@ components:
                   "value": "12345-abcde-67890"
                 }
               }``
-            
+
             - BEARER: Bearer token-based authentication.<br/>
               ``{
                 "type": "BEARER",
                 "properties": {
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "3e172dd2-901b-43a9-a26a-728466795f01",
+                  "clientSecret": "83cdc120-ccf6-4163-a4a8-c1ba3e872daa",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "alice",
+                  "password": "p@ssw0rd!",
+                  "clientId": "3e172dd2-901b-43a9-a26a-728466795f01",
+                  "clientSecret": "83cdc120-ccf6-4163-a4a8-c1ba3e872daa",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -1497,6 +1521,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
@@ -1521,8 +1547,18 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           description: Type of the authentication.
           example: BASIC
+        properties:
+          type: object
+          description: Authentication properties (without secrets) specific to the selected type.
+          additionalProperties: true
+      example:
+        type: BASIC
+        properties:
+          username: "auth_username"
 
     ActionUpdateModel:
       type: object
diff --git a/en/identity-server/next/docs/apis/organization-apis/restapis/actions.yaml b/en/identity-server/next/docs/apis/organization-apis/restapis/actions.yaml
@@ -1195,12 +1195,12 @@ components:
       type: object
       description: >
             The type of authentication required by the action's endpoint. The following options are supported:
-            
+
             - NONE: No authentication is required. <br>
               ``{
                 "type": "NONE"
               }``
-              
+
             - BASIC: Basic authentication with a username and password.<br>
               ``{
                 "type": "BASIC",
@@ -1209,7 +1209,7 @@ components:
                   "password": "auth_password"
                 }
               }``
-              
+
             - API_KEY: API key-based authentication, where the key is provided in an HTTP header.<br>
               ``{
                 "type": "API_KEY",
@@ -1218,14 +1218,38 @@ components:
                   "value": "12345-abcde-67890"
                 }
               }``
-            
+
             - BEARER: Bearer token-based authentication.<br/>
               ``{
                 "type": "BEARER",
                 "properties": {
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "3e172dd2-901b-43a9-a26a-728466795f01",
+                  "clientSecret": "83cdc120-ccf6-4163-a4a8-c1ba3e872daa",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "alice",
+                  "password": "p@ssw0rd!",
+                  "clientId": "3e172dd2-901b-43a9-a26a-728466795f01",
+                  "clientSecret": "83cdc120-ccf6-4163-a4a8-c1ba3e872daa",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -1236,6 +1260,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
@@ -1260,8 +1286,18 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           description: Type of the authentication.
           example: BASIC
+        properties:
+          type: object
+          description: Authentication properties (without secrets) specific to the selected type.
+          additionalProperties: true
+      example:
+        type: BASIC
+        properties:
+          username: "auth_username"
 
     ActionUpdateModel:
       type: object
diff --git a/en/identity-server/next/docs/apis/restapis/actions.yaml b/en/identity-server/next/docs/apis/restapis/actions.yaml
@@ -1463,12 +1463,12 @@ components:
       type: object
       description: >
             The type of authentication required by the action's endpoint. The following options are supported:
-            
+
             - NONE: No authentication is required. <br>
               ``{
                 "type": "NONE"
               }``
-              
+
             - BASIC: Basic authentication with a username and password.<br>
               ``{
                 "type": "BASIC",
@@ -1477,7 +1477,7 @@ components:
                   "password": "auth_password"
                 }
               }``
-              
+
             - API_KEY: API key-based authentication, where the key is provided in an HTTP header.<br>
               ``{
                 "type": "API_KEY",
@@ -1486,14 +1486,38 @@ components:
                   "value": "12345-abcde-67890"
                 }
               }``
-            
+
             - BEARER: Bearer token-based authentication.<br/>
               ``{
                 "type": "BEARER",
                 "properties": {
                   "accessToken": "0d6fed02-eac0-332b-8998-213a543139a0"
                 }
               }``
+
+            - CLIENT_CREDENTIAL: OAuth2 client credentials grant based authentication.<br/>
+              ``{
+                "type": "CLIENT_CREDENTIAL",
+                "properties": {
+                  "clientId": "3e172dd2-901b-43a9-a26a-728466795f01",
+                  "clientSecret": "83cdc120-ccf6-4163-a4a8-c1ba3e872daa",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
+
+            - PASSWORD_CREDENTIAL: OAuth2 resource owner password credentials grant based authentication.<br/>
+              ``{
+                "type": "PASSWORD_CREDENTIAL",
+                "properties": {
+                  "username": "alice",
+                  "password": "p@ssw0rd!",
+                  "clientId": "3e172dd2-901b-43a9-a26a-728466795f01",
+                  "clientSecret": "83cdc120-ccf6-4163-a4a8-c1ba3e872daa",
+                  "tokenEndpoint": "https://custom.idp.com/oauth2/token",
+                  "scopes": "send_scope"
+                }
+              }``
       required:
         - type
       properties:
@@ -1504,6 +1528,8 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           example: BASIC
         properties:
           type: object
@@ -1528,8 +1554,18 @@ components:
             - BEARER
             - API_KEY
             - BASIC
+            - CLIENT_CREDENTIAL
+            - PASSWORD_CREDENTIAL
           description: Type of the authentication.
           example: BASIC
+        properties:
+          type: object
+          description: Authentication properties (without secrets) specific to the selected type.
+          additionalProperties: true
+      example:
+        type: BASIC
+        properties:
+          username: "auth_username"
 
     ActionUpdateModel:
       type: object
diff --git a/en/includes/guides/service-extensions/pre-flow-extensions/action-versions/pre-issue-id-token-action-v1.x.md b/en/includes/guides/service-extensions/pre-flow-extensions/action-versions/pre-issue-id-token-action-v1.x.md
@@ -560,6 +560,13 @@ Configure the authentication scheme when registering the action in {{product_nam
 - **Basic**: HTTP Basic authentication.
 - **Bearer**: OAuth 2.0 Bearer token in the <code>Authorization</code> header.
 - **API Key**: API key in a header; you can define the header name (for example, <code>X-API-Key</code>).
+{% if (product_name == "WSO2 Identity Server" and is_version > "7.3.0") or product_name == "Asgardeo" %}
+- **OAuth 2.0 Client Credentials**: {{product_name}} retrieves an access token from the configured token endpoint using the OAuth 2.0 client credentials grant and uses it as a bearer token when invoking the action endpoint.
+- **OAuth 2.0 Password Grant**: {{product_name}} retrieves an access token from the configured token endpoint using the OAuth 2.0 resource owner password credentials grant and uses it as a bearer token when invoking the action endpoint.
+
+!!! warning
+    If you use your own {{product_name}} organization as the authorization server (that is, the configured token endpoint belongs to the same organization and the OAuth 2.0 application used to obtain the access token resides in the same organization), exclude that application from this **Pre-Issue ID Token** action (and the **Pre-Issue Access Token** action) by configuring a rule. Otherwise the token issuance flow will fall into a cyclic dependency, since the action invocation triggers a token request, which in turn triggers the same action again. As a result, the ID token and access token issuance will break.
+{% endif %}
 
 ## Conditional invocation of pre-issue id token action
 
diff --git a/en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md b/en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md
