Skip to content

Client Credential Flow

Description

The client credential flow is a very standardized flow within OIDC to support machines in their activity. The normal flow consits of client id and client secret, which is normally exchanged manually and configured manually as well in backend systems. In a normal behavior, a client id + secret would be created to get access tokens, but this could be replaced by a DID mechanism.

Change Description

Instead of creating client id and client secret, should the client be registered just with DID. The verification process of client id and client secret should be overloaded the following process during a token request:

  1. Client requests from AAS a nonce for his client DID
  2. Client creates a JWT with his the nonce
  3. Client uses DID as Client and a signed JWT as secret
  4. AAS checks the nonce, if existing, the DID will be resolved
  5. AAS resolves the key which is defined in KID of the JWT
  6. AAS checks the signature, if signature is valid, token is responded

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent