The Client Credentials flow is used for machine-to-machine communications. There is no user context involved when using this flow, so it is beneficial to understand a few of its limitations before using it.

• Client Credentials Flow
• Machine-to-Machine Communications

When utilizing the Client Credentials flow, the system is designed to issue only access tokens; ID tokens are excluded and are strictly reserved for user-based flows that request the openid scope. Additionally, because this flow does not generate Refresh Tokens, there is no mechanism to renew a session automatically. Consequently, once an access token expires or approaches its expiration time, you must re-initiate the full authentication process to obtain a new one.

Regarding claim evaluation on a Custom Authorization Server, the absence of a user context leads to specific behaviors when claims rely on user attributes. If custom claims are based on these attributes, they will resolve to null, triggering a user_claim_evaluation_failure in the system logs; however, the request will not fail, and the access token will still be successfully minted. Also, if the sub (subject) system claim is configured to rely on user attributes, the /token endpoint will fail explicitly with an error stating that:

The 'sub' system claim could not be evaluated.