Machine to Machine auth and Service Tokens

[kotyara85]

Does dex support issuing machine to machine tokens?
Also, is there a way to generate long living service token signed by dex after a user obtained a token through normal OAUTH2 workflow?
Thanks!

[nabokihms]

Hello, @kotyara85. Dex does not support long living tokens. For m2m you can use the password credentials grant to get a new token every time an old one expires. This flow does not involves browser or http redirects, thus it is basically easy to automate token renovation process.

[sagikazarmark]

I guess a better answer is: it depends. Which token, used for what. Dex by default recommends short lived tokens and the use of refresh tokens. But that still requires 3 legged auth flows.

Password grant is basically discouraged by everyone at this point (will probably be dropped by OAuth 2.1).

There is a discussion in #1629 for adding client credentials support, but I have some concerns about the implementation AND the use cases it supports, but basically it would allow machine to machine communication, but without user identity involved.

[kotyara85]

Our use case if to generate user side service accounts with long TTL to use in cli (as an example).
Right now we have our own implementation which uses our own proprietary OAUTH2 workflow and based on that token we sign our own.
So we're looking for a better working out of the box proxy which could be used to implement something similar.