Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Have one flow per client + client credentials flow #79

Closed
pksorensen opened this issue May 10, 2014 · 4 comments
Closed

Have one flow per client + client credentials flow #79

pksorensen opened this issue May 10, 2014 · 4 comments
Assignees
@leastprivilege
Labels
feature idea - discuss! question

Comments

@pksorensen
Copy link
Contributor

Is it "normal" that one client have only one flow associated?

Having an API and a web client that consumes the api users can log in by implicit flow and give the client their token such it can ask the api on their behalf.

If the client want to ask the api something on behalf the client using the ClientCredentials flow, would it not make sense that the client is only registered once but have the option to use both flows?

I ask because when I look in the static test factories, it seem that i have to set a flow on client base and I can only set one type of flow Flow = Flows.ClientCredentials.

Should I just return two Client objects with different flows/ids ?
@leastprivilege
Copy link
Member

Well - in general a client should only have one flow since it can result in security problems if the wrong combination of flows is configured (e.g. code and implicit).

Have "a flow + client credentials" is something I am thinking about since it is a common scenario. Maybe in the future.

@leastprivilege leastprivilege changed the title Multiply flows per client Have one flow per client + client credentials flow May 10, 2014
@leastprivilege leastprivilege self-assigned this May 10, 2014
@ciaranj ciaranj mentioned this issue May 12, 2014
Closed
@ciaranj
Copy link
Contributor

ciaranj commented May 19, 2014

FWIW I'm actively using this restriction at the minute to assign a notional level of 'trust' to a particular client configuration via scopes (i.e. a given mobile application might have 2 clients configured for its use, one of which gets a scope of 'mobile' [when the implicit grant flow is used i.e. the mobile user has explicitly authenticated themselves] and the other one gets a scope of 'anon' when the client credentials flow is used [i.e. the user has not yet authenticated themselves].

(Note, I'm aware the putting client secrets in a mobile application cannot be considered 'secure', hence the different 'trust' levels ascribed, but I cannot see an alternative other than being truly anon. on the API side.)

Potentially/Probably this is the wrong thing to be doing with OIDC/OAuth2 but it is allowing me to close in on a security approach I'm happier with :/

@leastprivilege
Copy link
Member

For now we will stay with the "one flow per client" constraint.

@leastprivilege
Copy link
Member

If you think you really need "One flow AND client credential flow" - please open a new issue.

@pksorensen pksorensen mentioned this issue Feb 14, 2015
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@leastprivilege leastprivilege

Labels
feature idea - discuss! question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ciaranj @leastprivilege @pksorensen