I am not 100% familiar with OAuth2 so bear with me.
I have an app that has resources and user accounts. I have added this OAuth2 server (with the Symfony bundle) and I want to manage these resources from a smartphone app. I want to have the authentication using OAuth2 so that the smartphone client uses tokens that do not contain the credentials and can be revoked.
I understand that the best grant for this use case is client_credentials. However this grant generates a token with an empty sub:
With an empty sub, the userIdentifier is also empty, and thus the DB lookup fails and it returns a dummy NullUser object.
I don't understand why the token generated does not contain a sub (subject?). I've read that this is as per the spec, because the token identifies a machine and not the user. While this is true, the machine acts on the user's behalf, so the server app should be able to retrieve the user from the token.
Now I think I could get the user from the client ID provided in the token, however this looks like Symfony plumbing which is outside of the scope of my question (I guess?)
I am not 100% familiar with OAuth2 so bear with me.
I have an app that has resources and user accounts. I have added this OAuth2 server (with the Symfony bundle) and I want to manage these resources from a smartphone app. I want to have the authentication using OAuth2 so that the smartphone client uses tokens that do not contain the credentials and can be revoked.
I understand that the best grant for this use case is
client_credentials
. However this grant generates a token with an emptysub
:The
null
argument isuserIdentifier
, and the generated token has... "sub": "" ...
.Once I obtain a token and use it to access a specific resource, the Symfony firewall/bundle will try to load the user using the
sub
:With an empty
sub
, theuserIdentifier
is also empty, and thus the DB lookup fails and it returns a dummyNullUser
object.I don't understand why the token generated does not contain a
sub
(subject?). I've read that this is as per the spec, because the token identifies a machine and not the user. While this is true, the machine acts on the user's behalf, so the server app should be able to retrieve the user from the token.Now I think I could get the user from the client ID provided in the token, however this looks like Symfony plumbing which is outside of the scope of my question (I guess?)
Thanks