Idea ID: 2873337

OAuth - Activate a role based on ClientID Condition

Status : New Idea

When we activate a role in policies, currently we set conditions based on set of Authentications (IDP, Contract...) and/or on Attributes (from LDAP, or other stores)...

Authentication Conditions always fail when we activate Roles for the OAuth Access token.

is it a bug or is it because we are dealing with an authentication vs authorization issue?

Here is a wishful idea to have for the authentication conditions when dealing with OAuth access /ID token roles activation:

1- Add a clientID as a condition. 

2- solve the current issue by the following approach: the access token holds the clientID in the audience and the clientID refers to the client application which holds the authentication procedures.

Note: OAuth access token injection has the same issue.