[Openid-specs-ab] client_credentials grant_type

Roland Hedberg roland.hedberg at adm.umu.se
Mon Sep 17 06:28:51 UTC 2012


Hi John,

17 sep 2012 kl. 05:01 skrev John Bradley <ve7jtb at ve7jtb.com>:

> Last week I had several conversations with FICAM people around OAuth and Connect.
> 
> One thing that they do and is also not uncommon in enterprises is permission access based on client credentials.
> Think SAML Attribute query.
> 
> We do have that in OAuth 2.0.
> 
> One thing we don't say in Connect is how to support that grant_type.
> 
> It seems fairly strait forward that you would have a scope of openid and any other user_info related scopes, that nonce and state are not required.
> Returning a id_token probably doesn't make sense.
> 
> To specify the user who is the subject we already have a way of passing the required user_id in the request object.
> 
> I can see this being useful to compliment or replace a SAML/SOAP flow.  
> 
> We don't specifically talk about this or the Resource owner Password credentials Grant. 
> 
> As long as we don't do something in the core specs to preclude them we could put them in a separate profile as they are sort of special case.


My question about attribute authorities the other week was exactly concerning this.

So maybe we should write something about how to do this with Connect/OAuth2.
What we definitely should do, as you says, is to make sure we don't do anything in core to prohibit/prevent/complicate this use case.

-- Roland
------------------------------------------------------
Roland Hedberg
IT Architect/Senior Researcher
ICT Services and System Development (ITS) 
Umeå University 
SE-901 87 Umeå, Sweden	
Phone +46 90 786 68 44
Mobile +46 70 696 68 44 
www.its.umu.se 



More information about the Openid-specs-ab mailing list