Expanded Identity Security With Duo Single Sign-On: Duo Adds Support for OAuth 2.0 Client Credentials
As identity-based attacks become more prevalent, the ability to fine-tune access at a granular level is not just an advantage — it's a necessity. Duo has been born at the forefront of this shift, offering SAML support since 2015 and OIDC since 2023, which has helped many of our customers secure applications with Duo’s best-in-class identity security controls. Now, we're refining our approach even further with the integration of OAuth Client Credentials, now Generally Available, to provide even more precise control mechanisms within our security suite.
Understanding OAuth Client Credentials
Before delving into how Duo Single Sign-On (SSO) leverages OAuth Client Credentials, let's clarify what this protocol entails. OAuth Client Credentials is a part of the OAuth 2.0 specification, which is a widely adopted industry standard for authorization. Unlike other OAuth 2.0 flows designed for end-user approval, the Client Credentials grant type is specifically tailored for server-to-server authentication, where no user interaction is involved.
In this flow, a client application can directly request an access token from the Authorization Server using its own credentials. Once the Authorization Server authenticates the client, it issues an access token. This token then grants the client application access to the protected resources hosted by the resource server. It's a streamlined process designed for efficiency and security, ideal for scenarios where applications must perform automated tasks without manual user intervention.
Secure segmentation by default
Duo SSO's implementation of OAuth Client Credentials is akin to a master key maker crafting unique keys for each room in a building. Just as a key maker can design a master key system with individual keys that provide access to specific areas while maintaining overall security, Duo SSO creates separate Authorization Servers for each OAuth client. This architecture allows for multiple clients to be associated with each Authorization Server, enabling secure segmentation by default — each client operates within its own compartmentalized space, much like rooms in a secure facility.
For applications that require broader access — like having passageways between rooms — we've developed Global Token Introspection. This feature is like installing viewports in doors, allowing one room to verify if a keyholder from another room should be granted access, all while keeping the doors locked and the integrity of each room intact. Global Token Introspection ensures that clients can check the validity of tokens from other Authorization Servers within the Duo SSO ecosystem, maintaining a secure boundary even as information is shared.
To enable Global Token Introspection and effectively manage the flow of access within your organization's infrastructure, we encourage you to reach out to Duo Support.
The integration of OAuth Client Credentials into Duo SSO's offerings shows Duo’s commitment to providing advanced, adaptable, and precise security solutions. It's a testament to our dedication to evolving with the needs of our customers and to our vision of a secure, controlled enterprise environment. As we continue to refine and expand our capabilities, we invite you to explore the benefits of this granular security approach and join us in our mission to safeguard the identity perimeter with unmatched precision.
Next steps
OAuth Client Credentials support in Duo SSO is available for customers on Essentials, Advantage and Premier today! Check out the documentation for how you can start protecting your applications.
For more on what we’re doing to revolutionize Continuous Identity Security, follow along in our Release Notes. If you’re an Essentials customer or a prospect interested in learning more about the power of Duo and our recently announced Cisco Identity Intelligence, the best path forward is signing up for an Identity Security Assessment. This assessment is effectively a free trial of the new functionality and will showcase a variety of valuable features and use cases.
Here’s to the future of secure Identity with Duo!