Do we need to add client_id to ticket auth requests?

[aaronpk]

No description provided.

[dshanske]

I would think not as you are offering it to the site. Now, what we could do is add that to the ticket grant type to the token endpoint, so you could request that the ticket be issued and limited to a specific client.

[Zegnat]

My backend currently stores the discovered ticket_endpoint as the client_id on issued tokens. This value can be retrieved through token verification. (Maybe, unless I broke something there.)

This gives some of the same benefits as I would otherwise have from a client_id. E.g.: if a client goes rogue I can revoke all tokens ever issued to it, now if a ticket endpoint goes rogue I can do the same.

[dshanske]

I've tried to address this by adding the notation about the grant_type supporting client_id, so the ticket endpoint, when redeeming, can opt to limit it to a specific client_id at that point.