# Setup Client credential flow

## Setup overview in OData connector configuration

See Setup for obtaining required in information before configuring authentication.&#x20;

{% hint style="info" %}
Design time configuration is recommended to configure using with Client Credential model.
{% endhint %}

{% hint style="info" %}
Prepare IFS setup first and collect all information ready before configuring Client Credentials. Also when configuring, add fields in order from top to bottom.
{% endhint %}

<figure><img src="/files/fQURAXveVOfRqlvj7Jx1" alt=""><figcaption><p>Example Client Credential setup</p></figcaption></figure>

### Setup

#### Access Token URL

Get **Access token URL** value from IFS Cloud.

{% content-ref url="/pages/pehKlFbKxppGwLyn2F5y" %}
[Obtaining Authentication related URLs from IFS Cloud](/flow-ifs-cloud-development-guidelines/flow-development-with-odata/configuration/authentication-models/obtaining-authentication-related-urls-from-ifs-cloud.md)
{% endcontent-ref %}

#### Client ID and Client Secret

Create one IFS service user and link it to new IAM Client.

**Create IFS service user**

Create IFS user type of Service User.&#x20;

{% hint style="info" %}
One cannot log into Aurena with IFS user type of service user.
{% endhint %}

<figure><img src="/files/rOcjn989NO6VaLNKa3Df" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
It could be good idea to have novaura/nc and flow in the IFS user name?
{% endhint %}

**IFS Service user permissions**

Minimum privileges in that service user needs are

* CONNECT system privilege
* ProjectionExplorer projection

This enables the OData Connector to get projection list from IFS.

If Client Credentials authentication is used in Runtime setup (debugging in Studio or for integrations for example), service user must be granted&#x20;

* all projections required by flows
* company and site setup to enable data visibility etc.&#x20;

**Create IFS IAM Client**

Create IAM client like in example and link it to IFS service user.&#x20;

{% hint style="info" %}
Name IAM client so that it can be identified as being used by Flow. Also adding postfix describing authentication type would be a good idea.&#x20;

Example name: NC\_Flow\_ClientCredentials, Novacura\_ClientCredentials
{% endhint %}

<figure><img src="/files/Pq91srq0DFYrfN8qYF49" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Use same name for same type of IAM client in all customers IFS Cloud instances.
{% endhint %}

From saved IAM client, copy

* **Client ID** (character size matters, NC\_FlowClientCred is not the same as NC\_FLOWCLIENTCRED) to OData connectors *Client ID* and
* generated **Secret** to OData connectors *Client Secret.*

#### Scope(s)

Set default value of **openid microprofile-jwt** to OData connectors *Scope(s)*.

## Flow Server User Setup

Flow User setup has no link to IFS user so there are no special requirements for flow user setup.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.novacura.com/flow-ifs-cloud-development-guidelines/flow-development-with-odata/configuration/authentication-models/setup-client-credential-flow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.