I may be missing the mark, or not understanding the lingo, but I would like some guidance on this please.
I would like to control access/resources not only based on the end user, but also at the client app level. Simply lock down my backend API and allow different clients to access different features of the API. This seems to me that it should be something everyone should be doing…but I cannot find a good resource on the topic.
Typical Scenario:
- Client App starts up and gets a token from an App Auth Server
- Client App uses said token to get resources (non end user specific info) from Resource Server (the backend API)
- End user wants to access their data, so they log in via a User Auth Server and get an end user auth token
- Client App then sends both client-token and user-token to backend API for user specific resources, they get verified, etc and data is returned
Where I get hung up is how to pass the two tokens. Am I way off the mark here? Am I overlooking something? Any help would be greatly appreciated.
Thanks so much,
Mike