---
id: ory-network-oauth2
title: OAuth2 authorization code and client credentials grants
sidebar_label: OAuth2 grants
---

# Try common OAuth2 Grants

[Ory OAuth2 & OpenID Connect](https://www.ory.com/hydra) (based on [Ory Hydra](https://github.com/ory/hydra)) is available in the
Ory Network out of the box. This means that you can use OIDC, Authorization Code Grant, Client Credentials Grant, and more,
without additional configuration.

Following this guide allows you to experience the most commonly used OAuth2 flows and see how they work in Ory Network. The
examples will take you through the following steps:

- Creating OAuth2 clients in the Ory Network with the Ory CLI
- Using the Authorization Code Grant with federation to Ory Identities for user authentication and UI views (login page, consent
  page) supplied by the Ory Account Experience
- Using the Client Credentials Grant
- Performing token introspection using the Ory CLI

## Prerequisites

Before you start, [install the Ory CLI](../guides/cli/installation).

## Client Credentials Grant

The [Client Credentials Grant](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) is commonly used in machine-to-machine
communications. This allows web services, applications, or devices to call each other without the context of human users. Activity
that uses this grant often runs in the background and doesn't require any user interaction.

Follow these steps to try this grant in Ory Network. Create an Ory Network project using the Ory CLI and export the project ID:

```shell
ory create project --name "Ory OAuth2 Example"
project_id="{set to the project ID from output}"
```

1. Create an OAuth2 client:

   ```shell
   ory create oauth2-client --project "$PROJECT_ID" \
     --name "Client Credentials Demo" \
     --grant-type client_credentials
   ```

2. Export the ID and secret of the created client:

   ```shell
   client_id="{set to CLIENT ID from output}"
   client_secret="{set to CLIENT SECRET from output}"
   ```

3. Start the Client Credentials Grant:

   ```shell
   ory perform client-credentials \
     --client-id="$client_id" \
     --client-secret="$client_secret" \
     --project "$PROJECT_ID"
   ```

4. Perform token introspection to get the `access_token` details:

   ```shell
   # Export 'access_token'
   access_token="{set to ACCESS TOKEN from output}"

   # Perform token introspection
   ory introspect token $access_token --project "$PROJECT_ID"
   ```

## Authorization Code Grant

The [Authorization Code Grant](https://www.rfc-editor.org/rfc/rfc6749#section-1.3) is most commonly used in scenarios where
applications need to perform actions on behalf of users. For example, when an online marketplace allows users to add photos from
their Google Photos album to listings.

To achieve that, the online marketplace must access the user's Google Photos library on their behalf. If the user accepts the
access scope requested by the app (online marketplace), the app's client gets an `id_token` and `access_token` pair which is then
used to interact with Google Photos.

This is what using the grant with UI views supplied by the Ory Account Experience looks like:

```mdx-code-block
import mp4 from './_static/ory-network-oauth2/oauth2-ory.mp4'
import webm from './_static/ory-network-oauth2/oauth2-ory.webm'
import VideoEmbed from '@site/src/components/VideoEmbed'

<VideoEmbed mp4={mp4} webm={webm} />
```

To try the Authorization Code Grant, follow these steps.

1. Create an Ory Network project using the Ory CLI and export the project ID:

   ```shell
   ory create project --name "Ory OAuth2 Example"
   project_id="{set to the project ID from output}"
   ```

2. Create an OAuth2 client

   ```shell
   ory create oauth2-client --project "$PROJECT_ID" \
     --name "Authorization Code Grant with OpenID Connect Demo" \
     --grant-type authorization_code,refresh_token \
     --response-type code \
     --redirect-uri http://127.0.0.1:4446/callback
   ```

3. Export the ID and secret of the created client:

   ```shell
   code_client_id="{set to CLIENT ID from output}"
   code_client_secret="{set to CLIENT SECRET from output}"
   ```

4. Start the Authorization Code Grant flow:

   :::note

   This opens a sample OAuth2 consumer app in your default browser.

   :::

   ```shell
   ory perform authorization-code \
     --project "$PROJECT_ID" \
     --client-id "$code_client_id" \
     --client-secret "$code_client_secret"
   ```

   In the browser, use the UI to register a new user and allow the client to get the requested scopes to get an `access_token`, a
   `refresh_token`, and an `id_token`. This information is also printed in the terminal used to run the commands.

5. Perform token introspection to get the `access_token` details:

   ```shell
   # Export 'access_token'
   code_access_token="{set to ACCESS TOKEN from output}"

   # Perform token introspection
   ory introspect token $code_access_token --project "$PROJECT_ID"
   ```