Is there any way to generate an OAuth Access Token which is associated to a server/application as well as to a particular user so that the issued token can not be used to operate on another user.
The reason I am asking for a user level token is that , If I issue an access token (Following OAuth 2.0 Client Credential Grant Type) to a server , it just verifies if the right server is accessing the API. However It doesn't limit the usage of token to one particular user. So if the token is compromised then all data can be accessed irrespective of the logged in user.
Note : We are using CA API GW 9.0 & OTK 3.2
Dear suhas.mv ,
That's expected for Client Credential flow, if you want to authenticate against a user before issuing the access token, you should choose other oauth flow, such as auth code flow, or at least the resource owner flow.
As Mark pointed out, in a cases where the client_credentials flow is used, there is no notion of users (as in persons). You can use practically any other grant_type but not client_Credentials if you need to associate the token with a user.
With other grant_types the assertion 'OTK Require OAuth 2.0 Token' always sets a variable that contains the username of the associated user. That should be what you need.
Were you able to resolve the issue? What was the final result?
Stephen HughesBroadcom Support