[Openid-specs-ab] client_credentials grant_type

Salvatore D'Agostino sal at idmachines.com
Mon Sep 17 14:29:56 UTC 2012

OAuth or Connect derived from PIV or PIV as a scope?  
Or is this scope from the "attribute exchange"?


-----Original Message-----
From: John Bradley [mailto:ve7jtb at ve7jtb.com] 
Sent: Sunday, September 16, 2012 11:01 PM
To: openid-specs-ab at lists.openid.net Group
Subject: [Openid-specs-ab] client_credentials grant_type

Last week I had several conversations with FICAM people around OAuth and

One thing that they do and is also not uncommon in enterprises is permission
access based on client credentials.
Think SAML Attribute query.

We do have that in OAuth 2.0.

One thing we don't say in Connect is how to support that grant_type.

It seems fairly strait forward that you would have a scope of openid and any
other user_info related scopes, that nonce and state are not required.
Returning a id_token probably doesn't make sense.

To specify the user who is the subject we already have a way of passing the
required user_id in the request object.

I can see this being useful to compliment or replace a SAML/SOAP flow.  

We don't specifically talk about this or the Resource owner Password
credentials Grant. 

As long as we don't do something in the core specs to preclude them we could
put them in a separate profile as they are sort of special case.

John B.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6085 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120917/2a6d8092/attachment.bin>

More information about the Openid-specs-ab mailing list