I have been looking into OAuth 2.0, the various flows, etc., and there is one thing I can’t figure out:
If I have a client (not a browser) that is trying to access a certain resource on a Resource Server, and the resource turns out to require authorization in order to access it, so it returns a 401. How does the client know what the Authorization Server is that it needs to talk to?
In case of web pages, this seems to be quite simple: a page that requires a user to log in, will simply redirect to the login page with a 302 response. But I don’t think that makes sense when the client is not a browser, and is basically accessing a REST API.
In our case, hard-coding a certain Authorization Server is not really an option: the client is supposed to talk to whatever server our customer has set up, so the Authorization Server can vary from customer to customer (Auth0 obviously being an attractive option).
I thought that perhaps “Device Flow” would be an option, but even a description of that flow starts out with the client contacting the Authorization Server.
The client is a Windows application, actually an installer, that should load some settings by just pointing it to a url, and the user providing authorization info if needed.