That's not quite enough information to figure out what you're trying to do. I'm closing this issue because I can't assign it as is. Add more details, and we can re-open it and assign it if necessary.

Hi Mike, we talked about this problem briefly when we met in Vienna. I need to realize this situation: https://www.scottbrady91.com/img/oauth/full-delegation.png Client accesses API1 with sub=alice. API1 then needs to access API2 to fulfill the request but on behalf of alice. how can I pass this information to API2? I could use Poor Man's Delegation, but that would be dirty and might have serious security flaws as API1 might get more scopes than it actually needs. Using Client Credentials grant would have me lose the information that API1 acts on behalf of alice. So what is the gluu-way to achieve this? Is this solvable using UMA? Or do I need to hook a script into the process? If so: where? Sorry, I could not explain it in a better way! Thanks in advance :-) Nils

How are you controlling access to API2? Using an API Gateway that filters on scope? Or is API2 introspecting the token?

API2 is introspecting the token. So far we have not planned an API gateway.

Here's a possible solution: 1. Require client authentication for the token introspection API (this is a JSON property for oxAuth) 2. In the introspection script, filter the scope (or other claims) based on the client_id Note: you'll have two access tokens here: one that was sent in the Authorization Header, and another that was sent in the payload (for introspection). Here's an [example](https://github.com/nynymike/api-demo/blob/master/gluu_server_introspection_script.py) of filtering the scopes for a demo I'm working on:

Thank you, Mike :-) I'll dig into that and let you know how far I got with this! Best regards, Nils