I’m trying to find what is the best authentication flow for my scenario:
I have set up a regular web application and some users go through the regular user and password login flow. This part works fine, but there is an additional requirement. There is another group of users that belong to a third party system, we want to implement a mechanism in that other web application to authenticate their users into our application, we don’t need to create an account for these type of users, we just need to know they came from that other app and allow them to navigate the site.
What I was thinking is setting up an API and to give the third party the client id and secret so they could generate an auth token. This way I know the request is coming from them but I don’t know how to let the user be authenticated in our application. I would need to set the authentication cookie for them but this can’t be done across domains.
Can I authenticate a user having an API token only? If there is an alternate approach I am not seeing, I’m open to suggestions.