[Openid-specs-ab] client_credentials grant_type

Torsten Lodderstedt torsten at lodderstedt.net
Mon Sep 17 05:30:29 UTC 2012


Hi John,

ressource owner password credential grant makes definitely sense in my opinion. I'm not sure for client credentials, esp. w/o id_token, as this boils down to standard OAuth to get access to the user info endpoint.

Regards,
Torsten.



John Bradley <ve7jtb at ve7jtb.com> schrieb:

>Last week I had several conversations with FICAM people around OAuth
>and Connect.
>
>One thing that they do and is also not uncommon in enterprises is
>permission access based on client credentials.
>Think SAML Attribute query.
>
>We do have that in OAuth 2.0.
>
>One thing we don't say in Connect is how to support that grant_type.
>
>It seems fairly strait forward that you would have a scope of openid
>and any other user_info related scopes, that nonce and state are not
>required.
>Returning a id_token probably doesn't make sense.
>
>To specify the user who is the subject we already have a way of passing
>the required user_id in the request object.
>
>I can see this being useful to compliment or replace a SAML/SOAP flow. 
>
>
>We don't specifically talk about this or the Resource owner Password
>credentials Grant. 
>
>As long as we don't do something in the core specs to preclude them we
>could put them in a separate profile as they are sort of special case.
>
>John B.
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Openid-specs-ab mailing list
>Openid-specs-ab at lists.openid.net
>http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120917/8e31b611/attachment.html>


More information about the Openid-specs-ab mailing list