Grant Type TIA Plugin

Authorize the issuance of a scope based on the grant type of the request.

Use Cases#

A client is configured with a list of scopes that it is allowed to request. However, you might want to control the issuance of scopes based on the grant type used to request the token, as some scopes might only make sense when issued through a particular grant type.

For example, a scope that is issued through a Client Credentials flow ends up in a token that represents the client itself. As such, that scope might not make sense (or even be harmful) when issued in a token that represents a user through an Authorization Code flow.

Another example could be a scope that is issued through the device flow, where the resulting access token is received by the device for access to device related APIs. This scope might not be desired to be issued to a client that is not operating as a device.

Process#

The Grant Type TIA plugin evaluates the request context to find out the grant type or flow that is used to issue a token. Based on configuration, the plugin can indicate that

  • the grant type is in the configured list of allowed grant types (allowed-grant-types), allowing the scope to be issued
  • the grant type is not in the configured list of allowed grant types, denying the issuance of the scope

Was this helpful?