OAuth Client Credentials and policies
We need to protect API but clients can only use client credentials claim.
Since this is client credential flow (no user authentication), there is no user information on which we could set some access rules and maybe send information about client to backend services using identity injection.
So is there a possibility to use OAuth clientID and/or Client Name in conditions in authorization policy or identity injection policy?
Any other ideas how to somehow evaluate oauth client information (e.g. clientID) is also appreciated.
Thanks and kind regards,
Currently the Authorization Policy and II Policy doesn't not fetch the client id from the IDP server. However, if you are using 'Do Not Encrypt' with Resource Server you can see the client ID in the Token Itself.
"_target": "Identity Provider"
aud field has the client id, if you can inject access token to backend web server, then this value can be retrieved.(Changes in web server required for this)