Improve authentication/authorization documention w/ examples about client credentials OAuth 2 flow

[fidgi]

Hi,

Current authentication/authorization documention is focused on the case where the principal is a user (e.g. the function verifyToken returns a UserProfile ) . It is not clear how to handle the case where the principal is an application as in the client credentials OAuth 2.0 flow.

Can this be improved ?

Regards,

[raymondfeng]

I have a similar use case and here is my solution:

1. Register an authentication strategy that validates the client credentials
2. If successful, bind the application principal to the request context and return an Anonymous user profile

Ideally, we should allow a strategy to return a more generic object such as SecuritySubject, which can contain more than one principals (including application and user).