search

zf-fr / zfr-oauth2-server

PHP library for creating an OAuth 2 server (currently proof of concept)
BSD 3-Clause "New" or "Revised" License
36 stars 13 forks source link

Who is the token owner in client credentials grant? #23

Closed ojhaujjwal closed 10 years ago

ojhaujjwal commented 10 years ago

Who is the token owner in client credentials grant?

In my case, the token owner is the client itself.

ojhaujjwal commented 10 years ago

http://tools.ietf.org/html/rfc6749#section-4.4

ojhaujjwal commented 10 years ago

Looking at src/ZfrOAuth2/Server/Grant/ClientCredentialsGrant.php#L70-78, I don't see any token owner defined.

ojhaujjwal commented 10 years ago

Taken from the abstract of http://tools.ietf.org/html/rfc6749

The OAuth 2.0 authorization framework enables a third-party
   application to obtain limited access to an HTTP service, either on
   behalf of a resource owner by orchestrating an approval interaction
   between the resource owner and the HTTP service, or by allowing the
   third-party application to obtain access on its own behalf.

So, I think a token owner can also be a client.

ojhaujjwal commented 10 years ago

Sorry. I got all the things wrong. There is no token owner in client credentials grant.

bakura10 commented 10 years ago

Hope it makes sense now! Those grants are actually a bit unclear to me too (even though I implemented them I didn't test them in real life). If you have some time don't hesitate to add some docs to outline what is the flow, how it works in practice...

I know docs is really a weak point of this library :(