I am trying to make sense of Oauth2 for an API. The first important thing to consider is that the client does not authenticate directly to the API with oauth2. The client authenticates with a public/private key pair, but the client is a service to end users, that can then authenticate using oauth2.
I am using the authentication code flow, which calls my backend in the redirect uri, which then creates a temporary table containing the code, unique id and oauth2 provider. All of which works fine.
The idea is then to have to client making a request to the api to create a user from the oauth2 details, I need this to match the api key of the client to that particular user. The problem is that with the Authorisation code flow I do not have any knowledge of any token or unique id or code on the client itself. Am I barking up the wrong tree here and using a wrong approach?
Should I instead require a token with an implicit flow, then pass said token to the API that makes a request with that token and retrieves whatever data it needs?
Thank you very much
