oauth-2.0oauthadfsoktaclientcredential

How to securely let an app access a different app using OAUTH and client credentialing grant flow?


I am new to OAUTH and API access and authorization and have been reading about it to conceive a high-level solution for integrating two applications.

I work for company A which makes product A. Product A is hosted on Azure and is a RESTful API. We were acquired by company B which makes product B and product B client-server and not hosted on the web.

Product B has its own data center and Product A on Azure. Product A has separate instances for each of our clients like client1.productA.com, client2.productB.com, etc. Prod A is single-tenant only for now.

Product B and A will share the same clients in the future.

Instances of Prod B talk to instances of product A by sending JSON requests and receiving a response but before that, someone from product A logins into the product A UI with admin roles and has to generate a bearer token and share it via encrypted email with Product B folks and they plug that bearer token into their environment variables and then the flow starts. This can take 2 weeks of exchanging emails and whatnot.

What we are trying to do is remove manual intervention and automate it between A and B. Product B has OKTA as their IDP and has OIDC. Product A is ADFS with SAML 2.0 and also supports OIDC. Basically, Product B should request access to Product A API, and Product A should verify it is product B and then share the access token for server-server flow.

Question:

  1. how can product A verify product B's request to access it? Will product B's IDP (OKTA) be used to verify product B's request or will it be product A's ADFS?

I am trying to draw up a workflow solution however I am not sure if I am on the right path.

enter image description here


Solution

  • The fact that App A uses SAML to authenticate users doesn't help when authenticating another applications (SAML cant authenticate application to application), authenticating application to application that’s not on behalf of a user uses OIDC Client Credentials Flow which uses a client secret for the connecting instance of the application that has to be added manually, and this is what's seem to be taking 2 weeks.

    There's 2 possibilities now:

    1. If each instance authenticate not on behalf of a user,then all what you can do is to improve/automated the 2 weeks process by things like kicking an automated workflow every time an instance of App B is created

    2. If App B connects to App A on behalf of a user, then you can add ADFS as an external identity provider in Okta (with one client secret in the application itself rather than for each instance), and configure it to use OIDC for authentication, and use the produced token to access application A.

    I hope I've got the problem right and that's useful:)