[Openid-specs-ab] ID Tokens and the client_credentials flow

George Fletcher gffletch at aol.com
Thu Mar 14 19:08:17 UTC 2019


Hi,

We ran into a very interesting use case that OpenID Connect and OAuth2 
don't really address and I'm looking for input on the best mechanism to 
enable.

Specifically, we have a way to issue user specific x.509 certificates. 
Given that the certificate references a user, we can use the 
client_credentials flow (with MTLS, private_key_jwt, etc) to obtain an 
access token for the user without involving a browser or UI flows. 
However, there are some contexts where we'd like to get back an id_token 
along with the access_token.

One thought is to use the concept defined by the OpenID Connect spec and 
that is specify a scope of "openid" in the client_credentials flow to 
indicate that an id_token should be returned in addition to the 
access_token.

Other thoughts for how best to do this in a way that maintains the 
spirit of the specs?

Thanks,
George


More information about the Openid-specs-ab mailing list