Same access token for application and application owner for client credentials and password grant types

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Same access token for application and application owner for client credentials and password grant types

Sominda Gamage
Regarding the Access token returned by Identity Server for application and application user when using Client Credentials and Resource Owner Password Credentials grant types. (Git issue [1])

Problem scenario:

The access token received by the app owner when using resource owner password credentials grant type with the scope set to anything except openid (eg: abc) has the same value as the access token received by the application with the client credentials grant type with the same scope (eg: abc) as previous.

But when the scope is changed to openid, distinct access tokens are received.


Solution:

In the previous versions, same access token was issued for application and application owner when the grant type is client credentials and password grant type and the scope is openid. Also the ID token was passed in client credentials grant type.

In the current version, there is a separate property to ignore(disable/omit) openid as the scope when the grant type is client credentials and this property maintains the backward compatibility. When this property is disabled, access tokens will have different values. But this property does not issue different access tokens when the scope is some other type.

To solve the issue, we can introduce a new property to issue distinct access tokens even though the grant type is the same. Enabling this property should issue distinct tokens while disabling the property should not issue distinct tokens which will eventually maintain the backward compatibility.


Your thoughts regarding this matter is highly appreciated.


Regards,

Sominda.



--
Sominda Gamage | Software Engineer| WSO2 Inc.
(M)+94 719873902 | (E) [hidden email]

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev