Re: [OAUTH-WG] Few questions about client_credentials

Sergey Beryozkin <> Thu, 01 March 2012 22:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B0F5321E835C for <>; Thu, 1 Mar 2012 14:14:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7uvkNOvOpRrv for <>; Thu, 1 Mar 2012 14:14:10 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B8ACF21E8352 for <>; Thu, 1 Mar 2012 14:14:09 -0800 (PST)
Received: by wicr5 with SMTP id r5so330239wic.31 for <>; Thu, 01 Mar 2012 14:14:09 -0800 (PST)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
Authentication-Results:; spf=pass ( domain of designates as permitted sender); dkim=pass
Received: from ([]) by with SMTP id m7mr7857880wia.3.1330640049055 (num_hops = 1); Thu, 01 Mar 2012 14:14:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=hPwUnhmXyX39piNmAjkAPMeOEJoqdrjPnZrqYhKfRxQ=; b=OilFospVPcUzYIb9UlXMOeEZm2hOAHiLdSSjpvz9GAtV97gVMhnt1gc+z5fRRAV+uX 6GPsrJ9t1TUTf5pDZ7mur9hsH3mme6NWkU3faQbCTjLVQGDFZS/W/E6pwfDOlRBxoCeM r1LMxgB7n/3dqNDvQ1RSBU7enFtkbWuB97kpFIiosoz6F4JruFzwRrOmwjEDzQqgbssI rzKK31zFXerD1JoXxK8bCcuHISdTdi86egMWYcWMgG53sf5+ySWyZvY7GGkV8iMzxn43 C5J3hcbsCrvgrEkAvhTkmAH7yteIuqbVmhMIDDD8/A49VnZXgpago4MjkXSOFEF8MWZg cHcw==
Received: by with SMTP id m7mr6348586wia.3.1330640048985; Thu, 01 Mar 2012 14:14:08 -0800 (PST)
Received: from [] ([]) by with ESMTPS id df3sm44612074wib.1.2012. (version=SSLv3 cipher=OTHER); Thu, 01 Mar 2012 14:14:08 -0800 (PST)
Message-ID: <>
Date: Thu, 01 Mar 2012 22:14:07 +0000
From: Sergey Beryozkin <>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: "Richer, Justin P." <>
References: <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "<>" <>
Subject: Re: [OAUTH-WG] Few questions about client_credentials
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 01 Mar 2012 22:14:10 -0000

Thanks for the comments,

On 01/03/12 17:00, Richer, Justin P. wrote:
> If there's a fully trusted relationship between the client and the server, then the client may in fact be accessing data on behalf of another resource owner. It's a useful pattern when a three-legged flow like the Auth Code is not available. But it's kind of splitting hairs because the client has been granted a blanket access to the resource ahead of time, by virtue of its registration. Showing up to get a token is a method of limiting exposure and power of the client credentials, and making it easier to support both direct-client access and delegated-client access simultaneously with most of the same tooling.

It does make sense. What I'm still missing is how an access token 
returned as part of the client_credentials flow can 'link' to more than 
a single resource owner. The authorization server can establish the fact 
that a specific end user pre-authorized the client, but how to manage 
the case where many end users have pre-authorized the same client ? The 
returned access token won't uniquely identify the end user which have 
pre-authorized this client...

> To your second question, no -- scopes do not have to be ignored in this case. In fact, a well-designed client and server can make use of scopes to let the client request an access token that's only good for whatever the current transaction is, as opposed to something that's representative of all of the client's capabilities. This is a method known as "downscoping" and it's a very powerful pattern that OAuth enables. Of course, if you want, you are fully allowed to leave the scope out entirely, then it's up to the Authorization Server alone to figure out what the token is really good for.
Sure - I can see why it is very useful for an authorization code flow.
Still a bit unclear why the scope can be needed in case where a client 
is accessing its own resources, but do see it can be useful when the 
access to the end user's resources is also thought...

many thanks

> Hope this clears things up,
>   -- Justin
> On Mar 1, 2012, at 11:39 AM, Sergey Beryozkin wrote:
>> Hi,
>> I have few questions about the client_credentials grant type.
>> Section 4.4 [1] says: "...client is requesting access to the protected resources under its control, or those of another resource owner..."
>> What I do not understand is the latter part of the above statement, how to establish a link between the client authentication (which is an actual grant in this case) and different resource owners given that the only thing we have is the client authentication. As far as I can see it is only possible to get a one to one link with the end user in this case.
>> Can someone please clarify what is meant by "those of another resource owner" phrase ?
>> The other question is about an optional scope parameter. It has to be ignored in case of the client requesting a token for accessing its own resources, right ?
>> Thanks, Sergey
>> [1]
>> _______________________________________________
>> OAuth mailing list