We have partners who would wish to use our API. In order to grant them access to our API, we would like to implement a flow similar to that of Google when you sign in from another app.
I’ve read the article OAuth2 Implicit Grant and SPA by Vittorio, the OAuth2 Authorization Framework, and the Authorization Flows section of the documentation but I am still unclear about how to implement it properly.
So to get started, here are a few questions that I couldn’t figure out from the documentation:
- Does the partner application need to have a client ID created through our Management Dashboard?
- How can I limit the scopes that the partner application has access to?
2.1. Is there a way to do so on the Management Dashboard?
2.2. Can I have a Rule that refuses certain scopes?
2.3. How do I return such an error to the application?
2.4. Can I use a Rule to grant different scopes than those requested?
- Is the auth-spa-js package a turnkey solution?
3.1. Can my partners simply install this package on their SPAs, follow the steps, and then be able to leverage the Authorization Code with PKCE flow right away?
3.2. How can they specify which OAuth2 scopes they want?
3.3. Is this secure or I need to implement supplementary measures to protect my users’ auth?
3.4. Can this solution allow to refresh the token? What are the conditions for the user to have to reauthenticate?
3.5. If it is not a turnkey solution, how do I implement a secure flow to grant some permissions to an external application? Is there a sample repository I can reproduce?
3.6. If this is a turnkey solution, why is it not the very first thing that we see in the Authorization Flows section?
Thanks a lot for your help!
Have a great day