Service-to-Service Auth: Implement client credentials grant #334
Description
Question
Should campus.api support client credentials grant for internal service communication? Currently it only supports user session tokens (bearer tokens from OAuth flow).
Context
From integration test refactor analysis:
- API endpoints require Bearer token authentication (user sessions)
- Auth service supports Basic auth for client credentials
- No client_credentials grant flow implemented in campus.auth
- Tests currently work around this with direct token creation
Options
Option A: Implement Client Credentials Flow
POST /auth/v1/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=xxx&client_secret=yyy
Response:
{
"access_token": "...",
"token_type": "Bearer",
"expires_in": 3600
}Option B: Keep current approach - Use direct token creation in tests, rely on user sessions for API
Trade-offs
| Approach | Pros | Cons |
|---|---|---|
| Client credentials | Standard OAuth2 flow, enables service-to-service calls | More complex, additional auth surface |
| Direct token creation | Simpler, works for testing | Non-standard, no production service-to-service support |
Decision Needed
- Do we need service-to-service authentication in production?
- Is client_credentials grant required for our architecture?
- Or is user-session-only auth sufficient?
Ref: #330 (integration test refactor)