In client_credentials flow, the client performs request to authorization server for getting access token for itself, not for particular user. In that case, the client should not specify scopes, cause they can be inherited from registration, as client scopes for client credentials flow.
In that way we can be sure that the client can request for scopes we allow him to request and not for all the scopes we aren't allow him. (All matter of scopes confirmation and scope updating is beyond the scope of this issue)
Todo:
[x] Set userId field to be optional on AccessToken model
Why?
In
client_credentialsflow, the client performs request to authorization server for getting access token for itself, not for particular user. In that case, the client should not specify scopes, cause they can be inherited from registration, as client scopes for client credentials flow.In that way we can be sure that the client can request for scopes we allow him to request and not for all the scopes we aren't allow him. (All matter of scopes confirmation and scope updating is beyond the scope of this issue)
Todo:
userIdfield to be optional onAccessTokenmodelscopesinClientmodel