oauthoauth-2.0identityserver3identityserver4

What OAuth flow to use for Multiple APIs


I am currently working on a project that includes the following:

What authentication flow should be used in between the web apps and the identity server that allows the APIs to get information about the user and authorize the user within them? I'm a little stuck here.


Solution

  • You'd typically use the OAuth 2.0 Implicit Grant to obtain an access token for the JS web app that it can then use in calls to the APIs. The APIs can leverage the access token to find out about the Resource Owner who granted access to the API.

    Update: see comment below about deprecation of Implicit over Code+PKCE.