Creating a trusted client OAuth Token?

Question

Creating a trusted client OAuth Token?

TL: DR;

I have a trusted application in my VPC and I want to allow:

POST /oauth/authorize? user_id=U_123, client_id=xyz, client_secret=abdfd

allows unrestricted access to any user data under the assumption of client secrecy. Is there a priority for this?

I'm implementing a service oriented architecture and one of the parts I'm less sure about is application authentication and authorization.

We have an internal application to the main API that we used for trusted OAuth using only client credentials (id, secret) and user id:

POST /oauth/authorize? user_id=U_123, client_id=xyz, client_secret=abdfd

Essentially, this allows you to generate an oauth token for a given user without a password and without displaying an authorization page.

By including the user ID in the mix, this allows for user-specific tokens and gives us the option of invalid tokens for a single user. This way we don't need to invalidate the entire application, so there is potentially no security compromise.

Is there any priority for generating an OAuth 2.0 trusted client token?

+3

authentication authorization oauth oauth-2.0 soa

Robert ferguson Dec 30. At 12:31 am

source to share

1 answer

Hans Z. · Accepted Answer · 2014-12-30T19:35:11+0000

The use case you describe follows the Client Credentials provisioning standardized in the OAuth 2.0 specification: https://tools.ietf.org/html/rfc6749#section-4.4

A user ID can be effectively passed as a value scope

that allows access to the resources of that user (resource). This is what the BOM calls resources under the control of "another resource owner that was previously configured with an authorization server."

Creating a trusted client OAuth Token?

More articles: