securityoauth-2.0openid-connectclientcredential

How can I identify if an access token has been created through either client credentials or authorisation code flows?


Is there a standardised way of differentiating that an access token has been created through either client credentials or authorisation code flows? I know that the authorization code flow is used for user authentication and contains user personal information but besides those claims that might be attached to jwt, is there a standard good practice to know that a token has been created through a specific flow without knowing beforehand?


Solution

  • One option is to include a client claim, that is specific to the client that requested the tokens.

    For example, with IdentityServer, you have a concept of ClientClaims that you can read more about here. ClientClaims are claims that are specific to a client and not vary depending on the user.

    Access token generated by a user, also typically includes the AMR claim and access tokens using client credentials flow do not contain the AMR claim.

    Read more about the AMR claim here.