9Mar
Combining User Context in Machine-2-Machine OAuth2 Client Credential Flow
I have a REST API that is used by 2 separate application and is authenticating them by M2M OAuth2 Client Credential Flow.
One of the two application is an automation service without user context. The second one is a REST API where users authenticate with OAuth2 Implicit Flow.
Now I need to include the user context in my common REST API too, since some information should only be shared to certain users.
What is a secure strategy to implement that scenario with OAuth2? I thought I could just include the user (or a fixed string in case of the automation service) into the Access Token of the Client Credential Flow but that doesn't seem possible.
