We are in a use case where we have customers (let’s call them Customer) with their application (let’s call it Customer App), they have their own users that they manage and we have a sdk that they integrate in their application that have to communicate with our API (let’s call it Our API). How those user should auth with us ? We obviously don’t want another login screen beyond the auth they have on between their User in Customer App with Customer API, our SDK (frontend/untrusted client) have to communicate directly to our API without going through their trusted backend (Customer API), the bearer token should be specific to the user and not a single token for all the Customer’s users. And of course we cannot guarantee that they have an IDP that is OpenId or SAML or even proper oauth2.
The solution we came up with for now is letting the Customer API do Resource Owner Password Flow on behalf of their user. The Customer API use the user’s credentials to get a token, that is passed to the Customer App and the Customer App can call our API with it. This is not ideal, because they have to know/manage the credentials of their users to use our API. Also if the user modify their credentials without going through the Customer API they won’t be able to auth anymore (is there a way to block any user password change on our side ?)
Finally, is there a better solution that we cannot see that fullfill all the engineering constraints:
- No constraint on customer’s IDP (not our responsibility, not our problem)
- User in Customer App (untrusted) can user directly Our API, and is identified as a specific user
- No double auth / login in their app.