<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">The JWT assertion flow is the best way to do it. Google and Facebook support that. It is not that complicated.<div class=""><br class=""></div><div class="">Extending client credentials is not likely to happen.</div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jan 10, 2017, at 12:17 PM, GONZALO FERNANDEZ RODRIGUEZ <<a href="mailto:gonzalo.fernandezrodriguez@telefonica.com" class="">gonzalo.fernandezrodriguez@telefonica.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="font-family: Calibri, sans-serif; font-size: 14px;" class="">
Hi guys,</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px;" class="">
<br class="">
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px;" class="">
We have been discussing about use cases where Resource Servers are protected for Trusted Service Providers. We have been discussing about different options, client_credentials is one of them but the token returned is not tied to any specific user, and the Oauth
2.0 spec. Seems that doesn’t allow it, so the Service Provider should send the user_id (MSISDN or whatever) using the Resource Server API.</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px;" class="">
<br class="">
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px;" class="">
<pre class="newpage" style="font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; font-variant-ligatures: normal; orphans: 2; widows: 2;">The client can request an access token using only its client
credentials (or other supported means of authentication) when the
client is requesting access to the protected resources under its
control, or those of another resource owner that have been previously
arranged with the authorization server (the method of which is beyond
the scope of this specification).</pre>
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px;" class="">
<br class="">
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px;" class="">
<br class="">
</div>
<div style="orphans: 2; widows: 2;" class=""><font face="Calibri,sans-serif" class="">Charles talked about the JWT Assertion (</font><span style="font-family: Calibri, sans-serif; font-size: 1em; orphans: 2; widows: 2;" class="">Assertion Framework for OAuth 2.0 </span><font face="Calibri,sans-serif" class="">…
RFC 7521), is it the solution to do that? Or</font><font face="Calibri,sans-serif" class="">… could be client_credentials extended to get an access_token tied to an end_user?</font></div>
<pre style="font-family: Calibri, sans-serif; font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; font-variant-ligatures: normal; orphans: 2; widows: 2;" class=""><br class=""></pre>
<div style="font-family: Calibri, sans-serif; font-size: 14px;" class="">
<br class="">
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px;" class="">
Best,</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px;" class="">
Gonza.</div>
</div>
_______________________________________________<br class="">Openid-specs-mobile-profile mailing list<br class=""><a href="mailto:Openid-specs-mobile-profile@lists.openid.net" class="">Openid-specs-mobile-profile@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile<br class=""></div></blockquote></div><br class=""></div></body></html>