My frontends call an API Gateway (BFF) which in turn calls many private backend APIs. What’s the recommended pattern how to impersonate/delegate access to private backends? As far as I understand RFC 8693 - OAuth 2.0 Token Exchange is not yet supported…
You can use either Auth Code or Auth Code + PKCE for this.
With Auth Code, you use a session cookie between the front end and BFF for login info, and the BFF gets access tokens as needed.
With Auth Code + PKCE, the front end will get access tokens as needed, including one for communicating with the BFF (so you don’t need the session cookie here)
And the access token would be forwarded as is from the BFF to the backends?