Should it be possible to have a ClientGrant without an AuthUser.info?

[billoneil]

https://github.com/nulab/scala-oauth2-provider/blob/master/scala-oauth2-core/src/main/scala/scalaoauth2/provider/GrantHandler.scala#L96

It seems like you are required to have a User with the ClientCredentials grant handler. If a 3rd party api is using your api via Client Credentials the user should the user still be required?

[tsuyoshizawa]

If a 3rd party api is using your api via Client Credentials the user should the user still be required?

Yes. We need to know who is authenticated via Client Credentials.

[billoneil]

My understanding of Client Credentials is that it can be used as an API to API (Machine to Machine) authentication method. This allows the client to hit any endpoints with the given scopes for that client whether or not the API is acting on behalf of a user. The client can additionally have a user in scope for increased permissions.

Gong from this. If there were a cron job running that just needed some basic access to an API there would be no "user" in scope just a client id / secret. https://oauth2.thephpleague.com/authorization-server/client-credentials-grant/

I was able to work around this by making my user object something like case class User(id: Option[Long]) and always return it one way or another but this seems incorrect to me.

[tsuyoshizawa]

Thanks for your explanation. I understand the case.

You might create an another DataHandler by separating normal user and API and API user.

sealed trait User
case class NormalUser(id: Long) extends User
case class ApiUser() extends User

Then you can use DataHandler[NormalUser] and DataHandler[ApiUser]. Current API interface requires many methods, so this solution might be troublesome.

Or, how do you create an account in your service for accessing API? API to API resource will be protected by client credentials with special scope value. User model will be able to case class User(id: Long).