I have trouble understanding the client_credentials grant in terms of identity. I have secured my web app with OpenId Connect using the authorization code flow. This works as expected and a proper access and id token are returned from the authorization server. So far so good.
Now i have some public APIs i want to give my customers access to. The access to this APIs is done via our different client libraries that we provide.
In many examples out there the client_credentials flow is used for that providing a CLIENT_ID and a CLIENT_SECRET to get an access token. According to the spec this flow involves no end user and therfore no identity token is returned.
Now i am in trouble because i don't know the identity of the caller. The only thing i can say is that the access token is valid but how is this done in practice ?
How do you know which user called your service when using this flow ? Do i have to save a mapping from user_account to client_id/client secret and query for that in my api endpoint to get the user ? I have to make some access decissions based on the identity who called the service.
If that would be true what benefit does OpendId Connect provide for me in that manner when i can get no id token in that flow ? Doing this with simple Oauth2 client_credentials flow will lead to the same result.
Can someone give me some tipps ?
