Machine-to-Machine (M2M) Authorization

Machine-to-machine (M2M) authorization enables secure communication between applications without human intervention. Instead of authenticating individual users, LoginRadius verifies and authorizes trusted devices or applications using predefined credentials and permissions. This ensures systems can exchange data and execute tasks automatically while maintaining strict security measures. By leveraging M2M authorization, businesses can facilitate seamless and secure interactions across their connected systems.

• Secure Communication: All interactions, including token exchange and data access, are encrypted to ensure security.
• Automation: The process is fully automated, eliminating the need for human intervention.
• Strict Authorization: Only devices or applications with valid credentials and permissions can access the resources.

M2M authorization is essential for scenarios that require secure, automated authentication, including:

• Service–to–service authentication– Allows applications to communicate securely, such as a web application connecting to a cloud database for data retrieval or updates.
• IoT Device Authorization – Allows smart devices to access cloud services automatically without manual authentication.
• Third-Party API Integrations – Ensures external services can securely connect to an application’s backend for seamless data exchange.
• CLI Clients to Internal Services: This feature enables command-line tools to interact securely with internal APIs, ensuring efficient and protected operations.

The workflow shown in the image illustrates how machine-to-machine (M2M) authorization securely facilitates automated communication between a client-server, a resource server, and the LoginRadius Authorization Server:

1. Request for Access Token:
   The client-server (partner application or device) initiates the process by requesting the LoginRadius Authorization Server with valid credentials.
2. Token Generation:
   The LoginRadius Authorization Server checks the credentials. If valid, it issues a JSON Web Token (JWT) that serves as proof of authorization and includes the permissions needed for access.
3. Trigger Management APIs:
   The client-server uses the JWT to request access to the resource (e.g., profile information via LoginRadius Management APIs). The resource server verifies the JWT with the LoginRadius Authorization Server to ensure it is valid and authorized.
4. Access to Protected Resources:
   If the JWT is valid, the resource server allows the client-server to access the requested data or resource. This ensures that only trusted devices or applications can interact securely.

To manage secure API access with defined permissions, set up and configure a machine-to-machine (M2M) app in LoginRadius. Follow these steps to create an app and configure its authentication settings.

Create the App

• Navigate to Admin Console → Applications → Apps.
• Click Add Apps and enter the name of the app.
• Select Machine 2 Machine App.
• Set access by choosing Audience and Allowed Scopes.

📌 Note: To know more about the list of available scopes refer to the Allowed Scopes section.

Configure M2M App

• App Name
• Client ID & Client Secret
  Note: The Client Secret is displayed only once. To ensure easy access in the future, save it securely when it's first generated.
• Algorithm & Token Endpoint Auth Method (Options: Client Secret Post, Auto, or Basic): To know more about these options refer to the bellow Authentications method section
• Token Expiration (Seconds)
• Define Access Permissions:
  • Select Audience (identifier) and Allowed Scopes.
• Click Save to finalize the setup.

This section outlines essential terms and authentication methods required for implementing M2M authorization. Understanding these concepts ensures secure and efficient communication between systems.

Authentication Method

LoginRadius supports three methods for authenticating at the token endpoint:

1. Client Secret Post: Sends the client_id and client_secret in the request body. Ideal for systems that cannot include credentials in headers.
2. Basic Authentication: Sends the client_id and client_secret as a Base64-encoded string in the Authorization header. Standard and secure when using HTTPS.
3. Auto: Automatically selects the best authentication method based on the request for easier integration.

Allowed Scopes

The following scopes define the specific actions that can be performed by applications or devices using M2M authorization. These scopes ensure fine-grained control over resource access and permissions:

• User Management:
  • update:users – Update user details.
  • delete:users – Delete user accounts.
• Tokens and Verification:
  • create:email_verification_token – Generate email verification tokens.
  • create:forgot_password_token – Generate tokens for password recovery.
  • create:sott – Generate Secure One-Time Tokens (SOTT).
  • revoke:tokens – Revoke active tokens for users or applications.
• Privacy Policy and Compliance:
  • read:users_privacy_policy_history – Access the history of users’ privacy policy agreements.
• Role Management:
  • create:roles – Create new roles for users or applications.
  • update:roles – Modify existing roles.
  • delete:roles – Remove roles.
• Custom Objects:
  • create:custom_objects – Create custom data objects.
  • read:custom_objects – Access custom objects.
  • update:custom_objects – Modify custom objects.
  • delete:custom_objects – Delete custom objects.

These scopes allow applications to interact securely with resources while maintaining strict access controls. To minimize security risks, always assign only the necessary scopes.

This guide walks through the implementation of M2M for secure server-to-server authentication without user interaction. The client application can request an access token from LoginRadius using a Client ID and Secret, allowing secure API interactions based on assigned scopes.

Request an Access Token(JWT)

The client application requests an access token by sending a POST request to the LoginRadius token endpoint.

Generate Access Token API: This API is used to generate an Access Token using Client Credential Flow.

{
  "audience": "https://api.loginradius.com/identity/v2/manage",
  "grant_type": "client_credentials",
  "client_id": "<CLIENT_ID>",
  "client_secret": "<CLIENT_SECRET>"
}

{
  "access_token": "eyJz93a...k4laUWw",
  "token_type": "Bearer",
  "expires_in": 86400
}

The access token is returned and will be used for future API calls.

Validate Access Token(JWT)

Before using the JWT token in API requests, ensure its validity by checking its issuer, audience, expiration, and signature.

Validate Access Token API: This API validates Access Token in Client Credential Flow.

{
  "token": "string",
  "token_type_hint": "string",
  "client_id": "string",
  "client_secret": "string"
}

{
  "active": true,
  "iss": "<Issuer URL>",
  "aud": "<Audience URL>",
  "sub": "<Subject Identifier>"
}

Access Resource

Once the Access Token(JWT) token is validated, authenticate and interact with LoginRadius APIs.

curl --request GET \
  --url https://api.loginradius.com/identity/v2/manage/account/{uid} \
  --header 'authorization: Bearer <ACCESS_TOKEN>' \
  --header 'X-LoginRadius-ApiKey: {API_KEY}'

APIs will function based on assigned permissions (scopes) without requiring the secret.

The Client Credentials Flow can also be applied to custom APIs. A token tailored to the specific API can be obtained by specifying a custom audience during the token request, ensuring secure access and communication between systems.

Custom API Token

Send a POST request to generate the Access Token (JWT) with a custom API.

Generate Access Token API:This API is used to generate an Access Token

Request Body

{
  "audience": "<CUSTOM_API_ENDPOINT>",
  "grant_type": "client_credentials",
  "client_id": "<CLIENT_ID>",
  "client_secret": "<CLIENT_SECRET>"
}

Use the Access Token(JWT)

curl --request GET \
  --url <CUSTOM_API_ENDPOINT> \
  --header 'authorization: Bearer <ACCESS_TOKEN>'

If an access token needs to be invalidated, revoke it to terminate its validity. Revoking an access token is a security measure that prevents unauthorized access if it is compromised or no longer required.

This process ensures that access to the protected resource is effectively blocked, reinforcing security and minimizing risk.

Revoke Access Token API: This API revokes the generated access token(JWT).

📌 Note:

• The siteurl should be LoginRadius Hosted Pages/Custom Domain URL (e.g., companyname.hub.loginradius.com).
• If using a custom domain, replace siteurl with the custom domain name.

Here is a structured table for all request body parameters and responses used in the Client Credentials Flow, along with their descriptions:

Parameter	Description
audience	The target resource or API the client wants to access (e.g., https://api.loginradius.com/identity/v2/manage). For custom APIs, use the custom endpoint.
grant_type	Specifies the OAuth 2.0 grant type. Always set as "client_credentials" for M2M authentication.
client_id	LoginRadius provides a unique identifier for the m2m application.
client_secret	The secret key is associated with the M2M application. Do not share or expose this value.
scope (optional)	This field defines the permissions granted by the token. The default scopes assigned to the application will be used if not provided.

Field	Type	Description
active	boolean	true if the token is valid and active.
iss	string	The token issuer (usually the authentication server).
AUD	string	The intended audience for this token.
sub	string	The subject identifier (the entity associated with this token).

• Oauth 2.0 Flows
• OIDC Flow
• Session Management
• JWT Login