[Openid-specs-mobile-profile] Client Credentials to get an access_token associated to an specific user
GONZALO FERNANDEZ RODRIGUEZ
gonzalo.fernandezrodriguez at telefonica.com
Tue Jan 10 15:17:50 UTC 2017
We have been discussing about use cases where Resource Servers are protected for Trusted Service Providers. We have been discussing about different options, client_credentials is one of them but the token returned is not tied to any specific user, and the Oauth 2.0 spec. Seems that doesn’t allow it, so the Service Provider should send the user_id (MSISDN or whatever) using the Resource Server API.
The client can request an access token using only its client
credentials (or other supported means of authentication) when the
client is requesting access to the protected resources under its
control, or those of another resource owner that have been previously
arranged with the authorization server (the method of which is beyond
the scope of this specification).
Charles talked about the JWT Assertion (Assertion Framework for OAuth 2.0 … RFC 7521), is it the solution to do that? Or… could be client_credentials extended to get an access_token tied to an end_user?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile