I have an API configured in WSO2 API Manager that allows multiple different OAuth 2.0 grant types (client credentials and openid).

My API requires a different behavior depending on whether it was called via an access_token generated by client credentials vs openid. How can the API verify whether this access token provided was generated via client credentials or openid?

Edit and Solution:

I have found a way to do this. The following WSO2 Documentation shows how to configure the API Manager to pass a JWT that includes some token specific information. In that token you will find the "http://wso2.org/claims/usertype" claim. If your api is being accessed via client credentials grant type its value will be APPLICATION if its being accessed via openid or SAML it will be APPLICATION_USER. I haven't found documentation that specifically outlines this scenario but it seems to work.

I don't think there's a direct way of doing this unless you write your own code to get this information from IDN_OAUTH2_ACCESS_TOKEN table.

But using some hacky way you should be able to do this without much effort.

For example,

1) In case of you already knowing the application creator's name (or a userstore domain), you can get the owner of the token as mentioned in this blog post and compare it with the application owner's name. The owner of the tokens which are generated by client-credentials grant type is always the same as the application owner. However this methods has a limitation that you can't differenciate when application owner calls the with API OICD token and client credentials grant type.

2) Enable JWT tokens and then take your decision based on user claims.