How would an API call another API with oauth2 if both APIs use different identity providers?

2
votes

In the past, I have had 2 APIs, both secured with Azure AD. The first API would take the access token and request another access token for the second API with the following param: requested_token_use=on_behalf_of Info source: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

However, this is due to both APIs being on Azure AD. Controlled in the same directory.

If the first API was Azure AD and the second was auth0, how would the second API get an access token without the user being able to login to a authorization screen?

1
authenticationoauth-2.0azure-active-directoryauth0

1 Answers

1
votes

In that case you can use Password Grant Flow or Client Credentials Flow. You can read more about service to service authentication on Microsoft or Google pages.

Does this give you everything you had with on behalf flow? No. With on behalf flow you had token with user's claims for both systems. This way you access service B with service A credentials and if you have fine-grained per user permissions you need to implement logic in service A.