OAuth 2 Authorization-Code-Flow Jwt and Client-Crendentials-Flow Jwt

Question

Authorization-Code-Flow Jwt is generally used to authenticate a human user.

Client-Crendentials-Flow Jwt is generally used to authenticate a server client.

We are using the same oauth 2 server for these two kinds of flows.

However, some services do not like a human user uses their jwt to call them.

So what is the best practise to prevent Authorization-Code-Flow Jwt be used to authenticate a call to backend-to-backend only service?

Thanks.

Answer 1

There are different ways to achieve what you need. Tuan LE CONG mentioned that you could restrict access at the infrastructure level — you can make sure that services that have user tokens are not able to call those services that expect client credentials tokens.

Another way is to make authorization decisions based on the access tokens. JWT access tokens consist of claims, and in every token, you should find a sub claim. This identifies the subject of the token. For user tokens (those created with authorization code flow) you will have the user's ID, email, or similar information in the sub claim. For service-to-service tokens (created with client credentials flows), you will have the service's ID (e.g., the OAuth client ID) in the sub claim. You can reject any requests that do not contain a valid client ID. This validation can be performed either by the service itself or by an API gateway.

Answer 2

My 2 cents:

If your backend services are deployed in the same cluster or network and the service is backend-to-backend only, you should not expose / publish its APIs to the world. This approach doesn't require modifying code but can be done at the infrastructure (network, firewall) layer.

If your backend services are deployed in different clusters / networks, then you should handle at the application layer (your backend code) to not support Authorization-code-flow