Client Type TIA Plugin
Authorize the issuance of a scope based on the type of client of the request.
Use Cases#
There are different client types, notably:
- Configured clients
- Database clients
- Templatized DCR clients
- Non-templatized DCR clients
- Ephemeral clients
Each type of client might have a different background, leading to a different trust level that can be placed on the client. While there might be static configuration options to restrict different types of clients to request certain scopes, it may make sense to use the dynamic way to control scope issuance by using the Client Type TIA plugin. For example, you might want to allow scopes to be issued to configured clients, but not to ephemeral clients, as the latter are based on a short term relationship that might not be suitable for certain scopes.
Process#
The Client Type TIA plugin evaluates the request context to find out the type of the client that is used to request a token. Based on configuration, the plugin can indicate that
- the client type is in the configured list of allowed client types (
allowed-client-types), allowing the scope to be issued - the client type is not in the configured list of allowed client types, denying the issuance of the scope