https://www.ory.sh/ logo
Join Slack
Powered by
When creating a Client for Client Credentials flow...
# talk-hydra
w
When creating a Client for Client Credentials flow that should be used by a Customer using "your" API, how can you setup some information on that Client that the API server can use for validating Permission og Scope/Claim that the API is allowed? Maybe a company ID in Scope that resolves to the company ID as a claim?
w
We encountered the same challenge. With the authentication grant flow we can control the ext returned by the oauth2 introspect endpoint but not with the client credentials flow. We also need the ability to control some of the output from the oauth2 client itself, to encode the company ID for example.
We thought of setting the data as metadata under the oauth2 client or some different data storage, but it would require an additional lookup, i.e. it can't be retrieved from the introspect
We settled for a hack where we abuse the audience field. It seems like the audience field set by the client isn't arbitrary and must be allowed explicitly by the oauth2 client. So we just said something along the line, if scope is audIsCompantId, then we use audience as company ID
Would be a good feature request to allow controlling some property returned by introspect from the oauth2 client itself
@magnificent-energy-493 would love to hear your opinion about this
w
@wide-dawn-74672 thanks for your feedback! 🙏 I'm "glad" to hear its just not me. Been looking at a lot of oauth client implementations, and it seems common that they are pretty useless data-wise 😞
Would be awesome just to be able to specify the claims coupled to scopes. Fx in the metadata like you talk about.
w
Did you find a solution?
w
not at all. I built something from scratch on the side to support mapping clients to organizations
4 Views
Open in Slack
PreviousNext
Powered by