Hi,
In general, the **client credential flow** grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. These types of applications are often referred to as **daemons or service accounts**.
If your identity provider is capable of supporting client credentials flow and able to provide access tokens to the target Denodo REST/SOAP Web service this flow can be used and there are no barriers on the Denodo side in this aspect.
Regarding your second question, when a JWT token does not contain a field to obtain the name of the scopes, you can use either **Global or custom LDAP configuration** to obtain the role name from the LDAP systems. When using this approach the **“Subject field name”** attribute in the JWT token must contain the service account name that should have returned the roles/groups information from the LDAP system.
The Global/Custom LDAP configuration to obtain the role information for an OAuth authentication can be configured in** Administration> Server Configuration > Server authentication > OAuth > Role configuration**.
You can have a look at the Knowledge Base article[ How to configure published web services with Oauth and Azure AD](https://community.denodo.com/kb/en/view/document/How%20to%20configure%20published%20web%20services%20with%20Oauth%20and%20Azure%20AD) for more information.
Hope this helps!