Getting started

Endpoints

General

Why we can't use Client Credentials OAuth flow.

Understanding the Security Philosophy Behind Physical Access Control

As developers integrating with APIs, we often gravitate toward the most straightforward authentication methods. When building machine-to-machine integrations, the OAuth 2.0 Client Credentials flow seems like the obvious choice. It's simple, requires no user interaction, and is widely implemented across many API platforms.

So when DoorFlow, a physical access control API provider, insists on Authorization Code flow with refresh tokens instead of Client Credentials, it's natural to ask: "Why can't we just use Client Credentials?"

Let's unpack why this seemingly reasonable request conflicts with DoorFlow's security philosophy and why our approach, though more complex, is intentionally designed for the high-stakes world of physical access control.

For a complete understanding of our API security philosophy read more here https://developer.doorflow.com/docs/categories/api/articles/47958

The Fundamental Conflict

DoorFlow's security model is built around several core principles that fundamentally conflict with the Client Credentials flow:

1. "Account Owner Permission Required - Always Ask, Never Assume"

"We operate on a multi-tenant model where all applications require explicit consent for access to any DoorFlow account. No client is considered the resource owner for any DoorFlow account."

Client Credentials flow directly contradicts this philosophy. In this flow, the application itself becomes the resource owner and can access resources without any user's explicit consent. There's no "ask" step - the application simply authenticates as itself.

2. "Clients Have No Resources"

"All API requests are made within the context of a user, ensuring complete traceability and accountability for every operation within the system. A client application has no resources that it can access if there is no user context present."

Client Credentials flow is specifically designed for scenarios where the client itself has resources and operates without user context. This directly conflicts with DoorFlow's requirement that every operation must be traceable to a specific user.

3. "Zero Trust: Trust Is Earned With Every Request, Never Assumed"

"All external applications are treated as third-party applications and are not assumed to be confidential."

Client Credentials flow fundamentally assumes the client application is confidential and can securely store credentials. DoorFlow's zero trust approach explicitly rejects this assumption.

Why Physical Access Deserves This Level of Security

These constraints might seem excessive compared to other APIs, but consider DoorFlow's core argument:

"Unlike digital access, once physical access is granted, its consequences cannot be undone."

Digital permissions can be revoked retroactively with minimal damage. Physical access, once granted, can't be "ungranted." Someone who gains unauthorized physical access to a building can't have that access "rolled back" the way a digital breach might be contained.

The Apparent Contradiction: "If You Can't Trust Client Secrets, Why Trust Refresh Tokens?"

There's a legitimate question here: "If client secrets can't be trusted, how come you're trusting a client to store a refresh token? What's the difference from a security perspective?"

It's a fair point. Both scenarios involve a client application storing a secret credential. However, there are several critical differences:

1. Provenance and Control

Client Credentials are issued once to an application and typically don't change. If compromised, they provide permanent access until manually revoked.

Refresh tokens come into existence only after explicit user authorization and can be programmatically rotated. Their existence is evidence that a specific user granted consent at a specific time.

2. Accountability

Client Credentials operate in the name of the application, with no user context. If abused, there's no trail back to which user authorized the access.

Refresh tokens are always tied to a specific user's authorization event. Every action taken with a refresh token (or the access tokens it generates) is traceable back to the user who granted the original authorization.

3. Revocation Control

Client Credentials can only be revoked by an administrator of the application itself.

Refresh tokens can be revoked by the user who granted them, giving account owners direct control over all access to their resources.

4. Scope Limitations

Client Credentials typically have broad scopes defined by the application.

Refresh tokens inherit the specific scopes explicitly authorized by the user during the consent flow.

In essence, refresh tokens shift the trust model from "trust the application" to "trust the user's explicit decision to authorize the application," maintaining user agency and accountability throughout the process.

5. Compromise Detection

Client secrets can be used repeatedly without change, meaning a compromised secret can be exploited indefinitely without detection.

Many modern OAuth implementations (including DoorFlow) use refresh token rotation, where each refresh token can only be used once. After use, a new refresh token is issued. If a refresh token is used twice, it signals potential theft and in the future could allow DoorFlow to trigger automatic revocation of all tokens in the chain - a powerful security feature that client secrets don't offer.

The Machine-to-Machine Solution: Authorization Code with Refresh Tokens

DoorFlow isn't ignoring the need for machine-to-machine communication. We propose a solution that maintains our security principles while enabling automated processes:

  1. Perform a one-time Authorization Code flow to get initial tokens
  2. Securely store the refresh token
  3. Use the refresh token to obtain new access tokens as needed

This approach:

  • Preserves the explicit user consent requirement
  • Maintains traceability to a specific user
  • Allows for token revocation by the account owner
  • Supports automated background processes
  • Still works for machine-to-machine scenarios after initial setup

The Developer Experience Tradeoff

This approach does create additional complexity:

  • Initial setup requires a browser/user interaction
  • Refresh token management adds complexity
  • Using standard OAuth libraries requires more configuration

But this complexity serves a purpose - ensuring that physical access control maintains the highest possible security standards with complete accountability and user control.

A Matter of Philosophy, Not Technology

It's important to understand that DoorFlow's rejection of Client Credentials isn't primarily a technical limitation but a deliberate philosophical choice about how physical access control systems should operate.

Our entire security model is built around the principle that all access must be explicitly granted by an account owner and must always maintain user context. Client Credentials flow isn't just a different auth method - it represents a fundamentally different security model that conflicts with DoorFlow's core principles.

The Path Forward

If you're integrating with DoorFlow for machine-to-machine scenarios:

  1. Embrace the Authorization Code with refresh token approach
  2. Implement a one-time setup process to obtain refresh tokens
  3. Store these refresh tokens securely
  4. Use them to obtain access tokens for ongoing operations

While this requires more initial setup than Client Credentials would, it provides a workable solution for automated processes while maintaining DoorFlow's strict security model.

Physical access control operates in a different security context than most digital systems. Understanding and respecting these differences will lead to better, more secure integrations - even if they require a bit more work upfront.