Question about credential flow #42
Comments
|
It does depend on the type of applications you are trying to deploy. Were you able to look at this flow chart to help decide? https://github.com/jasonraimondi/ts-oauth2-server#which-grant Client credentials grant is not on behalf of a user, therefore it does not have a user context. If the access token is on behalf of a user, ie the endpoint you are trying to authorize into needs to know what user it is, you will need to use the password grant instead. Both the password grant and the client credentials grant should only be used by clients that can hold a secret. Hope that helps, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hey, jasonraimondi, thanks for your awesome project,
I wonder if there are multiple microservices distributed on different machines, and I have to protect those endpoints by access_token, then what is the best practice (or common implementation) to do so?
for example, i have microservices A, B, C
now, service A have to send request to protected service B (with access_token)
i am not sure how can i complete this workflow 😣
my current thought is use client_credential to grant all services, each service will verify token before send request to another service endpoint, if the token expired or not existed, then create it at first, after we get access token from this authorization server, send request with access token and target service will verify this access token before data processing.
would appreciate for any advice 🙏🙏🙏
The text was updated successfully, but these errors were encountered: