[Openid-specs-mobile-profile] Client Credentials to get an access_token associated to an specific user

John Bradley ve7jtb at ve7jtb.com
Tue Jan 10 17:56:05 UTC 2017

The JWT assertion flow is the best way to do it.   Google and Facebook support that.   It is not that complicated.

Extending client credentials  is not likely to happen.

> On Jan 10, 2017, at 12:17 PM, GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez at telefonica.com> wrote:
> Hi guys,
> We have been discussing about use cases where Resource Servers are protected for Trusted Service Providers. We have been discussing about different options, client_credentials is one of them but the token returned is not tied to any specific user, and the Oauth 2.0 spec. Seems that doesn’t allow it, so the Service Provider should send the user_id (MSISDN or whatever) using the Resource Server API.
> The client can request an access token using only its client
>    credentials (or other supported means of authentication) when the
>    client is requesting access to the protected resources under its
>    control, or those of another resource owner that have been previously
>    arranged with the authorization server (the method of which is beyond
>    the scope of this specification).
> Charles talked about the JWT Assertion (Assertion Framework for OAuth 2.0 … RFC 7521), is it the solution to do that? Or… could be client_credentials extended to get an access_token tied to an end_user?
> Best,
> Gonza.
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170110/2d0a094f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4383 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170110/2d0a094f/attachment-0001.p7s>

More information about the Openid-specs-mobile-profile mailing list