[Openid-specs-mobile-profile] Client Credentials to get an access_token associated to an specific user

Tue Jan 10 15:17:50 UTC 2017

Hi guys,

We have been discussing about use cases where Resource Servers are protected for Trusted Service Providers. We have been discussing about different options, client_credentials is one of them but the token returned is not tied to any specific user, and the Oauth 2.0 spec. Seems that doesn’t allow it, so the Service Provider should send the user_id (MSISDN or whatever) using the Resource Server API.

The client can request an access token using only its client
   credentials (or other supported means of authentication) when the
   client is requesting access to the protected resources under its
   control, or those of another resource owner that have been previously
   arranged with the authorization server (the method of which is beyond
   the scope of this specification).

Charles talked about the JWT Assertion (Assertion Framework for OAuth 2.0 … RFC 7521), is it the solution to do that? Or… could be client_credentials extended to get an access_token tied to an end_user?

Best,
Gonza.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170110/dfd0a151/attachment.html>