In our stack we use hydra, oathkeeper and keto. I’ve configured oathkeeper to pass the
subject of the request to our API and then I use it as the user ID in our services. This works well for the authorization code grant and the implicit grant but the problem is that now, I would like to implement the client credentials flow in our API. Obviously hydra already handles this mechanism but the problem I have is that the subject I get is now a client id (and not a user id).
So my question is, is there a way to know if a token represent a user or an application ?
If there is not, do you think that adding a field nammed
subject_type in the introspection response would be a good idea ?
Thank you in advance for your answers