Which UI do you use?

Custom UI

Pre built UI

Recommend access tokens using custom scopes for M2M

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:

proposed

Deciders:

rishabhpoddar, porcellus

Proposed by:

porcellus

Created:

2023-05-11

Context and Problem Statement

We want to remove/simplify the M2M guide that uses the JWT recipe.

Considered Options

• Keep recommending the JWT recipe
• Provide separate API for admin keys
• Recommend access tokens using custom scopes for M2M

Decision Outcome

Chosen option: Recommend access tokens using custom scopes for M2M

• Fits the client credential flow of OAuth2 well.
• Doesn't require a separate/dedicated recipe for M2M.
• Doesn't require a separate guide.

Some further details:

• Our customers will still be able to add and share client credentials with/for their clients. Using this, M2M can be done using the client credentials flow.
• By adding the recommendation to create a long lived access token we hope to make it easier to use ("just add it as a Bearer token", essentially making this into a simple API key) for the client.
• If this method is used, these tokens should be considered opaque and validated using the token verification endpoint exposed by the core.

Pros and Cons of the Options

Provide separate API for admin keys

Self-explanatory API

Requires a dedicated recipe for M2M

Requires a dedicated validator for M2M

Makes it hard if an endpoint can be called by both another server (M2M) and FE clients

Recommend access tokens using custom scopes for M2M

Fits the client credential flow of OAuth2 well

Easy to implement endpoints that can be called by both another server (M2M) and FE clients

Requires enabling OAuth2 even if it's not intended for end-users of the app

Requires more docs

Keep recommending the JWT recipe

Already implemented

Requires a separate guide

Requires a separate type of token validation