When creating a new consumer with the client credentials grant, the form requires you to also input a User reference with description:
When no specific user is authenticated Drupal will use this user as the author of all the actions made.
This wording made me think the user account is only relevant when the user creates new content and that's the author that would be assigned. But the user is also used in more ways than this. The TokenAuthUser user object essentially wraps the specified user. When ->getRoles() is invoked, it returns the intersection of the user's roles and the scope's roles. This makes sense now that I think about it, because the purpose of the scope is essentially to define what the application/consumer has access to as a subset of what the actual user account has access to.*
*Note that this scoping system doesn't work that way for permissions, confusingly. E.g., the Permission scope seems additive to the permissions of the referenced User account. This is also confusing. Why does the permission scope do this but the Role scope doesn't?
I think this relationship should be made clearer on the configuration form. I initially assumed that I could create a client credentials consumer that acted as its own distinct user and the role and permission scopes would assign that user access to things on the site, but that's not how this works.
Update the form description for the User field on client credentials to something like this:
When no specific user is authenticated Drupal will masquerade as this user.
Also figure out a way to clarify the additive nature of the Permission scope vs the intersection nature of the Role scope.
Comments
Comment #2
bkosborne