You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.
Is it "normal" that one client have only one flow associated?
Having an API and a web client that consumes the api users can log in by implicit flow and give the client their token such it can ask the api on their behalf.
If the client want to ask the api something on behalf the client using the ClientCredentials flow, would it not make sense that the client is only registered once but have the option to use both flows?
I ask because when I look in the static test factories, it seem that i have to set a flow on client base and I can only set one type of flow Flow = Flows.ClientCredentials.
Should I just return two Client objects with different flows/ids ?
The text was updated successfully, but these errors were encountered:
Well - in general a client should only have one flow since it can result in security problems if the wrong combination of flows is configured (e.g. code and implicit).
Have "a flow + client credentials" is something I am thinking about since it is a common scenario. Maybe in the future.
leastprivilege
changed the title
Multiply flows per client
Have one flow per client + client credentials flow
May 10, 2014
FWIW I'm actively using this restriction at the minute to assign a notional level of 'trust' to a particular client configuration via scopes (i.e. a given mobile application might have 2 clients configured for its use, one of which gets a scope of 'mobile' [when the implicit grant flow is used i.e. the mobile user has explicitly authenticated themselves] and the other one gets a scope of 'anon' when the client credentials flow is used [i.e. the user has not yet authenticated themselves].
(Note, I'm aware the putting client secrets in a mobile application cannot be considered 'secure', hence the different 'trust' levels ascribed, but I cannot see an alternative other than being truly anon. on the API side.)
Potentially/Probably this is the wrong thing to be doing with OIDC/OAuth2 but it is allowing me to close in on a security approach I'm happier with :/
Is it "normal" that one client have only one flow associated?
Having an API and a web client that consumes the api users can log in by implicit flow and give the client their token such it can ask the api on their behalf.
If the client want to ask the api something on behalf the client using the ClientCredentials flow, would it not make sense that the client is only registered once but have the option to use both flows?
I ask because when I look in the static test factories, it seem that i have to set a flow on client base and I can only set one type of flow
Flow = Flows.ClientCredentials
.Should I just return two Client objects with different flows/ids ?
The text was updated successfully, but these errors were encountered: