We would like our hosted software to connect to our APIs impersonating a client user, as the user is hosting this software on our environment. We would like to give every user a private access token so the backend can always impersonate a user when needed. In order to do so, can we use the end users access token to generate a refresh token for this user once and reuse it in our backend applications?
Update: (follow-up to @jmangelo answer)
If I understand correctly, the flow would than be as follows:
- SPA requests offline access token (wouldn’t this create a security problem?)
- SPA sends offline access token for secured central storage to api
- Client enables one of our unattended SAAS services (runs entirely on its own and separated from the web api and SPA) -> this SAAS application runs not as an API but a standalone app
- SAAS service retrieves the offline access token from secured central storage
- SAAS service impersonates the user to request for user data
- User logs out of SPA and the service keeps using the offline access token
- SAAS discovers it needs to increase on capacity, uses the clients offline access token to start up new instances and impersonates user.
Overall we need to create an API token for each user we have in order to host services and impersonate the user.