Limiting Access to Client Credentials

[huntsfromshadow]

Currently a Client Credentials grant works
with password grant client and an authorization grant client.

In either case if the user sends in the correct client_secret and correct client_id to oauth/token the system
authorizes and returns a token.

I'm thinking it may be good to limit clients that can use the client_credential grant similar to how password grant works.

[themsaid]

But endpoints protected by the client credentials grant may be accessible by anyone with access, they are public endpoints, so yes as long as you have a valid token you can access.

[huntsfromshadow]

Aren't all end points protected by all grants? Maybe I'm not understanding
something correctly.

Right now I have endpoints that use the middleware auth:api.
The endpoint works fine with the password client. Will it not work correctly to the client_credentials grant?

[themsaid]

The client credentials grant has no user attached, it just gives access to a client for specific endpoints. Think of an endpoint that returns the countries a user can register from, by the time you need this endpoint there's no user object, only a client.

[huntsfromshadow]

Okay that makes sense.
How do you set endpoints then to use client credential?

Our use case here. We have a secure server to server connection that needs to send commands to this api. These commands are not tied to a specific user (as the caller will be sending commands on behalf of all users).

[craigpaul]

@huntsfromshadow instead of securing your endpoint with the auth:api middleware, you can use the simplified one here (CheckClientCredentials). Passport doesn't register middleware in its service provider so you will have to put it in your Kernel file, but that middleware basically authorizes a token but doesn't require a user to be attached.

[huntsfromshadow]

Thanks.

[amsanket22]

but it allows password token as well, I just want to provide access to client credential grant based tokens