I’ve been looking for a while to find out the best practices for nesting several API’s and the authorisation involved… So I have a main API, that access a next level API to get information. In some cases this might be a generic API, that is not really different for each user connecting, but sometimes it might respond different for each user… Hence, it could just be using the same token that is provided to the highest level API…
What is the best practice? just get the token and pass it to the next API in it’s headers? or is there another way? I’m wondering if I’m looking at it in a too simplistic way? It would work, but should it be done that way?
Off course this is only relevant if both services are using the same identity provider, if not, then off course it doesn’t work…
Any insights would be greatly appreciated as I’ve been pondering about this one for a while, and couldn’t find anything explaining the best practice, or i just don’t know what it’s called (if it has a specific name :-))