Does Salesforce support the Client Credentials Grant for OAuth?
It's correct that you cannot perform a Client Credentials grant, but headless authentication, scoped to a user, is pretty easy. You can accomplish this with the OAuth 2.0 JWT Bearer Token Flow
Simplified steps...
- Create a Connected App
- Generate an X509 Cert and upload the cert to the Connected App
- Set the connected app policy to Admin approved users are pre-authorized
- Give one or more of your users access to the app via Permission Sets or Profiles.
- Make sure your external application has access to the X509 private key. Take care to store this securely with your application.
- Generate a JWT using the user you'd like to authenticate with. You'll set their username to the
sub
property. You'll sign it with the X509 private key. - Post it to the token endpoint with
grant_type
equal tourn:ietf:params:oauth:grant-type:jwt-bearer
This will return you an access token. Find a library in your preferred language to help with the construction and signing of your JWT. More details in the link above.
All transactions in Salesforce are user-based. User access determines field level and record level access, page layouts, and so on. There's absolutely no way to perform an action as an anonymous "non-user." Even automated processes use an "Automated User" user for logging actions against. This is related to the auditing capabilities of Salesforce. The typical alternative is to log in as an admin or integration user.