OAuth flow without asking user for authorization

1
votes

I am thinking about using OAuth to grant application access to user resources. Everything works in a closed company environment.

First flow I thought about was authorization code flow and everything looks as I need, but I don't want to ask user to authorize access, because it's internal company's application and account and there is no reason for the user to not grant it. I want to ask user for login and password, go back to the application with authorization code and ask for access token to resource with this authorization code, client's id and client's secret. Is there something like this described in OAuth? Or removing step where I ask user to authorize is breaking OAuth and it would be my implementation which looks just like OAuth?

I know there is client credentials flow but I would have to give application grant access to every user resource right? Or is there something that I am missing?

1
authenticationoauthoauth-2.0authorization

1 Answers

2
votes

OAuth2 is really designed to allow users (resource owners) to give access to a third party client to their resources. For those use-cases, giving consent makes sense.

Now a lot of authorization servers allow you to configure whether a consent page is displayed or allow for an administrator to consent the application for all users (admin consent). So it kind of depends on what authorization server you are using.

Client credentials flow gives the client itself access to the resources on the API (resource server). The API would not know which user was accessing the resources, which doesn't work if the access depends on who the user is, for example when users can only access their own resources or their level of access depends on who they are.