I have recently implemented the Resource Owner Password Grant flow for a machine-to-machine application, where only trusted apps are using this authentication method. In addition, the API expects stateless JWTs on the server-side. The question:
I cannot find any way to include username or email address as a claim to the access_token JWT using password grant. If I include the scope “openid” to the POST /token endpoint, it will return both an access_token and id_token, however the id_token doesn’t seem to work when the audience is set to the machine to machine API application.
Is what I am trying to do possible? Any help is greatly appreciated. Thanks!