[Openid-specs-ab] ID Tokens and the client_credentials flow
gffletch at aol.com
Thu Mar 14 19:08:17 UTC 2019
We ran into a very interesting use case that OpenID Connect and OAuth2
don't really address and I'm looking for input on the best mechanism to
Specifically, we have a way to issue user specific x.509 certificates.
Given that the certificate references a user, we can use the
client_credentials flow (with MTLS, private_key_jwt, etc) to obtain an
access token for the user without involving a browser or UI flows.
However, there are some contexts where we'd like to get back an id_token
along with the access_token.
One thought is to use the concept defined by the OpenID Connect spec and
that is specify a scope of "openid" in the client_credentials flow to
indicate that an id_token should be returned in addition to the
Other thoughts for how best to do this in a way that maintains the
spirit of the specs?
More information about the Openid-specs-ab