I was able to implement the client credentials grant flow to restrict access to my API in GAE. It was relatively straightforward, it works well, but it doesn’t seem like the origin URLs setting of the client is respected in this flow. How do I tie a client ID to a specific URL, so that requests for the access token coming from other URLs are denied?
This is not relevant for client credentials grant. There is no user interaction in my authentication flow.