This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Verify if proxy supports token with grant type

Posted on 05-04-2020 05:34 AM
openapidev
New Member
Reply posted on --/--/---- --:-- AM

Hello,

How may I restrict access for a proxy/product via access token which has a particular grant type?

For example, if the token was generated using a grant type client credentials, we don't want to allow this token in proxies/products which are used for authorization grant type flow.

The only solution we found was to verify the access token side proxy and then check the grant type flow variable and raise a fault if the tokens grant type is not valid.

Is there a way to link scopes to grant type? It will be also a solution.

Thanks

Solved Solved
0 2 111
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

The way you are doing it makes the most sense to me.

If you want, an alternative is what you suggested: populate the scope at the time of generation via the authorization code grant, with something specific that would indicate the token is valid for accessing user-specific information. This is probably not grant_type, but ... something else that would be more meaningful, like "user_information_access" or something like that.

If you're a more mature API organization, your team or organization has a list of scopes that are used in various APIs, and a pattern or framework for adding new ones into the list. In that case, you can just add this particular scope to that set of "known scopes", or use an existing scope from that list if it fits your purposes. (This isn't a runtime thing, more of a development-time and governance issue)

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

The way you are doing it makes the most sense to me.

If you want, an alternative is what you suggested: populate the scope at the time of generation via the authorization code grant, with something specific that would indicate the token is valid for accessing user-specific information. This is probably not grant_type, but ... something else that would be more meaningful, like "user_information_access" or something like that.

If you're a more mature API organization, your team or organization has a list of scopes that are used in various APIs, and a pattern or framework for adding new ones into the list. In that case, you can just add this particular scope to that set of "known scopes", or use an existing scope from that list if it fits your purposes. (This isn't a runtime thing, more of a development-time and governance issue)

Jump to Solution

Posted on --/--/---- --:-- AM
openapidev
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you, Dino,

I think solution proposed by you will work fine in our case.

Jump to Solution
0 Likes