You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Most resources I find online are generally quite "strict" in stating how the concept of a user has no place in the context of
the client_credentials grant. I believe this is incorrect or at the very least, misleading.
The client can request an access token using only its client
credentials (or other supported means of authentication) when the
client is requesting access to the protected resources under its
control, or those of another resource owner that have been previously
arranged with the authorization server (the method of which is beyond
the scope of this specification).
"Another resource owner" can very well be a user, that through some application-specific business rules grants access to a client.
I would argue that a user wanting to access their own resources programatically is a common scenario, even if typically for more "tech-inclined users". This scenario in my opinion is perfectly suited for client_credentials and it seems unnecessary to "consider" the use of the password grant here (normally discouraged and not recommended by https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.4), due to the perception that the user context/concept is off-limits in client_credentials. Redirect-based flows are also not appropriate here.
The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user.
This is typically used by clients to access resources about themselves rather than to access a user's resources.
While the first sentence employs the rather strict "... is used... outside of the context of a user.", the use of "typically" in the second sentence allows some room for an interpretation closer to how the OAuth2 RFC defines clients_credentials.
I think it would benefit the understanding of the client_credentials grant if there was language alluding to the fact that it's a grant where access is granted without an authorization step (which IMHO is the big distinction between client_credentials and the redirection-based flows) rather than language that explicitly excludes the user context.
The seemingly explicit exclusion of the user context from most resources I find about client_credentials seems to have a disproportionate focus compared to what I interpret as the OAuth2 RFC stating as effectively application-specific - the resource owner being the client itself or some other entity, say, a user, and access/scope being "resolved" by some other means.
Any thoughts? :)
The text was updated successfully, but these errors were encountered:
Hi @aaronpk
Thanks for a well maintained resource.
If I may, I would like to get your feedback on what is my interpretation of https://tools.ietf.org/html/rfc6749#section-4.4 and if it warrants an update to https://oauth.net/2/grant-types/client-credentials/.
Most resources I find online are generally quite "strict" in stating how the concept of a user has no place in the context of
the
client_credentialsgrant. I believe this is incorrect or at the very least, misleading.From https://tools.ietf.org/html/rfc6749#section-4.4, (emphasis mine):
"Another resource owner" can very well be a user, that through some application-specific business rules grants access to a client.
I would argue that a user wanting to access their own resources programatically is a common scenario, even if typically for more "tech-inclined users". This scenario in my opinion is perfectly suited for
client_credentialsand it seems unnecessary to "consider" the use of thepasswordgrant here (normally discouraged and not recommended by https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.4), due to the perception that the user context/concept is off-limits inclient_credentials. Redirect-based flows are also not appropriate here.From: https://oauth.net/2/grant-types/client-credentials/:
While the first sentence employs the rather strict "... is used... outside of the context of a user.", the use of "typically" in the second sentence allows some room for an interpretation closer to how the OAuth2 RFC defines
clients_credentials.I think it would benefit the understanding of the
client_credentialsgrant if there was language alluding to the fact that it's a grant where access is granted without an authorization step (which IMHO is the big distinction betweenclient_credentialsand the redirection-based flows) rather than language that explicitly excludes the user context.The seemingly explicit exclusion of the user context from most resources I find about
client_credentialsseems to have a disproportionate focus compared to what I interpret as the OAuth2 RFC stating as effectively application-specific - the resource owner being the client itself or some other entity, say, a user, and access/scope being "resolved" by some other means.Any thoughts? :)
The text was updated successfully, but these errors were encountered: