A client-credentials client is a natural fit for running a service that should not be operated on behalf of a specific member of the VO. A potential downside is that such a client cannot be added to any group and can hence cannot obtain tokens containing group information that might be desirable or required for certain use cases.
Tokens requested by such a service might then need to have group notions expressed through capabilities listed in scopes, which may be deemed awkward at best.
A workaround is to define a service user in the VO and log in as that user to approve a device-flow client that then can be used by the service in question.
Should group memberships also be supported for client-credential clients?
A client-credentials client is a natural fit for running a service that should not be operated on behalf of a specific member of the VO. A potential downside is that such a client cannot be added to any group and can hence cannot obtain tokens containing group information that might be desirable or required for certain use cases.
Tokens requested by such a service might then need to have group notions expressed through capabilities listed in scopes, which may be deemed awkward at best.
A workaround is to define a service user in the VO and log in as that user to approve a device-flow client that then can be used by the service in question.
Should group memberships also be supported for client-credential clients?