-
|
Short version: Given a token, how do I determine the grant type? Is it possible to add a Longer version: Our server-side code that interprets the token needs to figure out whether it's interacting with a user or a machine; for the moment, we can just use the But I'm wondering about the day if/when I need to support client credentials grants publicly. Naturally, exposing our Hydra server to the Internet is an option but brings with it certain responsibilities. We already use Auth0 publicly for users; it would be natural to consider using it for Internet-facing machine-to-machine flows. If we did that, my Now I see that client credentials tokens issued by Auth0 include a Or is there another (better) way to figure out what sort of grant a token represents? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
For client credentials, the |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! But that does make me wonder if I'm doing something wrong; like maybe I'm asking the wrong question. Is it odd to be interested in determining the grant type? |
Beta Was this translation helpful? Give feedback.
-
|
From what I could gather the way they do it in Auth0 is their approach but it is not mandatory from the OAuth2 spec. You could look into using Kratos for user AuthN, that would probably eliminate some of the complexity of interfacing. We are also launching a SaaS service of the Ory products with some benefits in that direction, feel free to reach out if that is interesting/ an option to you 😉. |
Beta Was this translation helpful? Give feedback.
-
|
I'm going to accept this answer from @aeneasr as essentially saying "you can't, unless the only issuer you're accepting tokens from is Hydra (in which case |
Beta Was this translation helpful? Give feedback.
For client credentials, the
client_idequals thesubduring introspection. For all other flows, these two values are different. There are no other indicators for that at the moment.