The scenrio is that
- The service API requires user information (userid or sign in email) to process the API call and it better to extract the info from access token.
- From client side (could be a webpage), we expect to use a fix account (username/password) and do not require user to manually input, the login should be non-interactive and transparent to each user. Consider this account as an service account and not belong to individual user.
In this case, from OAuth standard flow, the client credential flow cannot be used as it contains only application information. Also the code grant/implict flow cannot be used as it requires at least once of user interaction (to provide identity to authorization server). Is the ROPC flow the only choice in this case ? Or there's better alternative as ROPC is considered less security and suggest not to use by "OAuth 2.0 Security Best Current Practices".
