OAuth 2.0 Machine to Machine Authentication Best Practice

bowie · October 11, 2019, 1:52pm

Hi,

We want to implement a machine to machine authorization with OAuth2.0. But we are not sure how we can do Authentication (ie. How we can identify which client who connects with us). The use case would be:

Multiple clients with different OAuth credentials want to connect our service.
We are using JWT Token for the OAuth implementation.
With OAuth we can authorize them since they will have the valid token
We want to be able to identify which client to statistic need.

One solution could be the use of scope fields in JWT Token, but it seems like a hack rather than a proper solution.

Is there any best practice in this domain, for me it is more like a openId but for a machine.

Regards,
Bowie

abroadhurst · October 11, 2019, 3:06pm

Maybe you could retrieve the audience of the JWT token instead and use that to determine which client you need.

bowie · October 11, 2019, 3:19pm

Hi @abroadhurst, thanks for the reply, what do you mean with the audience ?

abroadhurst · October 11, 2019, 3:25pm

if you decoded the jwt you can get the aud (audience) (https://jwt.io/). This can determine who signed off on the jwt (so which okta domain)

system · January 18, 2024, 12:20am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Correct way of issuing client ids in multiple components OAuth/OIDC api	1	4999	February 12, 2024
Oauth 2.0 Tokens vs API Tokens OAuth/OIDC	2	2972	July 26, 2021
Using OIDC and OAuth with Microservices and API Management OAuth/OIDC	4	6202	March 5, 2018
Okta/OIDC setup for application/microservice architecture Questions	1	4362	January 17, 2024
Does default okta authorization server support client credentials flow? OAuth/OIDC	3	1623	January 4, 2024

OAuth 2.0 Machine to Machine Authentication Best Practice

Related topics