I am designing a REST API for multi-tenant app. I want to protect the API. The multi-tenant app can be subscribed by a tenant who in turn can have multiple users using the app.
I plan to use OAuth for the same. One of the possibility is to use OAuth's Client Credential Flow - where a client Id and secret is given to each tenant who subscribes to the service.
The problem with this approach is, I cannot differentiate between different users of the tenant as everyone uses the same client Id and secret to get access token.
The other option is to use the OAuth's Authorization token flow. But in this case, I am not sure how should be the interaction as it is API (non-UI).
Further, How this kind of use case be solved with SAML?
It can't. The SAML spec. doesn't have a way to pass SAML tokens to API's.
If you need user context, you need to use the authorisation grant flow. Once authenticated, you ask for a JWT tailored for that API (scope etc.) and then send that JWT to the API.