Usually you'll create a new set of client credentials that ... • Aaron Parecki

69°F

Peter Holz https://twitter.com/nu4ur • Nov 24
Hi @aaronpk, what credentials should the RS use for the token introspection with the AS? These Okta blog posts on the CC flow all seem to use the client credentials. But isn't this bad?

https://developer.okta.com/blog/2020/11/18/build-a-graphql-nodejs-api
https://developer.okta.com/blog/2020/07/17/secure-node-api-with-koa
https://developer.okta.com/blog/2018/08/21/build-secure-rest-api-with-node

Usually you'll create a new set of client credentials that represents the resource server, since the OAuth client shouldn't be introspecting tokens. There isn't really any other form of authentication for the API so it's kind of an overloading of the term "client credentials"

Portland, Oregon • 48°F

Tue, Nov 24, 2020 12:38pm -08:00

1 like
- Peter Holz
Have you written a response to this? Let me know the URL:

Posted in /replies using quill.p3k.io