Should group memberships also be supported for client-credential clients?

maarten-litmaath commented 8 months ago

A client-credentials client is a natural fit for running a service that should not be operated on behalf of a specific member of the VO. A potential downside is that it may not be possible to add such a client to any group. The client may hence be unable to obtain tokens containing group information that might be desirable or required for certain use cases.

Tokens requested by such a service might then need to have group notions expressed through capabilities instead, which may be deemed awkward at best.

A workaround would be to define a service user in the VO and log in as that user to approve a device-flow client that then can be used by the service in question.