How to securely let an app access a different app using OAUTH and client credentialing grant flow?
I am new to OAUTH and API access and authorization and have been reading about it to conceive a high-level solution for integrating two applications.
I work for company A which makes product A. Product A is hosted on Azure and is a RESTful API. We were acquired by company B which makes product B and product B client-server and not hosted on the web.
Product B has its own data center and Product A on Azure. Product A has separate instances for each of our clients like client1.productA.com, client2.productB.com, etc. Prod A is single-tenant only for now.
Product B and A will share the same clients in the future.
Instances of Prod B talk to instances of product A by sending JSON requests and receiving a response but before that, someone from product A logins into the product A UI with admin roles and has to generate a bearer token and share it via encrypted email with Product B folks and they plug that bearer token into their environment variables and then the flow starts. This can take 2 weeks of exchanging emails and whatnot.
What we are trying to do is remove manual intervention and automate it between A and B. Product B has OKTA as their IDP and has OIDC. Product A is ADFS with SAML 2.0 and also supports OIDC. Basically, Product B should request access to Product A API, and Product A should verify it is product B and then share the access token for server-server flow.
Question:
- how can product A verify product B's request to access it? Will product B's IDP (OKTA) be used to verify product B's request or will it be product A's ADFS?
I am trying to draw up a workflow solution however I am not sure if I am on the right path.
The fact that App A uses SAML to authenticate users doesn't help when authenticating another applications (SAML cant authenticate application to application), authenticating application to application that’s not on behalf of a user uses OIDC Client Credentials Flow which uses a client secret for the connecting instance of the application that has to be added manually, and this is what's seem to be taking 2 weeks.
There's 2 possibilities now:
If each instance authenticate not on behalf of a user,then all what you can do is to improve/automated the 2 weeks process by things like kicking an automated workflow every time an instance of App B is created
If App B connects to App A on behalf of a user, then you can add ADFS as an external identity provider in Okta (with one client secret in the application itself rather than for each instance), and configure it to use OIDC for authentication, and use the produced token to access application A.
I hope I've got the problem right and that's useful:)
- KeyCloak Java Service Account Create User
- Get Google business reviews server side
- SpringBoot OAuth2 with Keycloak not returning mapped Roles as Authorities
- Aws Cognito Oauth2: Refresh token rotation
- What is the purpose of the "access_token=" parameter when downloading a file from Google Drive?
- java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer
- How do I implement social login with GitHub accounts?
- portainer keycloak 20 oauth login "unauthorized" / "Unable to login via OAuth"
- Google Oauth2 redirect_uri_mismatch when send request from localhost
- Google OAuth 2 authorization - Error: redirect_uri_mismatch
- Use Entra ID as Identity Provider for Client Credentials flow
- Should access tokens be refreshed automatically or manually?
- OIDC login flow breaks in react strict mode for react-admin v5
- M2M Client Credential Flow between NetSuite and Synapse
- LWA : Not able to exchange Authorization Code for AccessToken : invalid_grant
- How to authenticate resource owner with JWT when sending request to /oauth2/authorize?
- SSO in a .NET Core web app, authenticating MS Entra users using OIDC/OAuth
- Help on Facebook Graph API, returns "false" but UID is public
- Microsoft OAuth2 Authentication Not Returning Refresh Token
- How do refresh tokens work in an OAuth flow?
- MSAL.NET OBO refresh token problems
- UPS OAUTH authorize API integration getting timeout
- SpringBoot + AWS cognito, can't resolve issuerUri
- Call Google Cloud Functions from App Scripts
- MailKit OAuth2 SMTP Office365 Send Mail
- Keycloak-Remix integration: where should I place the checks?
- Oauth2 Bff unable to connect with keycloak using reverse proxy
- AttributeError: 'Graph' object has no attribute 'get_user_token'
- Gmail API scopes - send email with https://www.googleapis.com/auth/gmail.addons.current.action.compose
- Using PHPMailer when already have an access token