Closed KevinVecchione closed 6 years ago
gstroup
commented
6 years ago Thanks for the PR. We usually recommend using a separate token with client_credentials grant type for connecting to services from the web app. But I can see how it might make sense in some cases, to pass along the user token when IDM group info is needed. I think I'll merge this in soon. Thanks.
KevinVecchione
commented
6 years ago Thanks Greg. Is there some way to preserve the principal in the token when using a client credentials grant? That was the main motivation for my PR... with a client token I couldn't figure out who was actually using the application to make an authorization decision.
gstroup
commented
6 years ago No, I think the client_credentials token is not tied to a particular user (principal). You could potentially make the authorization decisions in your front end application, and only call the service if the user has permission. (Using the separate client_credentials token to call the service.) Not sure if that works in your case or not.
gstroup
commented
6 years ago Thanks for the contribution!
Add access token middleware to pass the principal's access token to proxied services. Allows services to use the access token for authorization decisions, such as when using IDM group IDs added to the token scope by shared UAA.