Hello
I see many examples where public API’s using the client_credentials flow. I am just wondering how this might be useful when i want to know about the identity of the user. This flow involves no end user so there is no user information available.
For example a customer of mine wants to access my API via a shell skript. He’s using the client_credentials flow. But at the API endpoint all i can say is okay the access token is valid but i don’t know WHO the caller is without maintaining a seperate list from CLIENT_ID to the customer.
1. How is this done in practice ?
2 .Does that mean i would need a seperate CLIENT for each customer ? What if i have a million customers ?
3. How can my API run in context of the user without having identity information ?
If the resource owner is the end-user, the Client Credentials grant wouldn’t be the flow to use. The Client Credentials grant flow is ideal for a CRON job, or other machine-to-machine flows where you don’t need to know the identity of the user. I suggest going through the API Authorization documentation to decide which flow would be best suited to your requirements:
Thank you for your answer but do you think i did not read all that stuff before ?
I can not imagine how Oauth can be benefitial to me protecting my REST APIs when i have no form of user interaction with a browser. There is no login or whatever. Just a plain REST endpoint, therefore the only option are client_credentials grant or ressource owner grant. But do i really want my customers to put their login credentials in my client library for communicating with my API ? Is this real life ?
Thx