We have a use case where we want to run an application on 3rd party infrastructure that would communicate back to our own infrastructure and need some way to authenticate it’s an application we trust and limit the scope of what it can access. I understand normally service to service communication would be via the client credentials flow but in this case we don’t have full control over the client environment so it doesn’t seem ideal to trust it with the client secret.
We’ve looked into the client_credentials flow using a private_key_jwt instead so we would sign and provide a shorter lived JWT that can be exchanged for the access token to speak to our services but both the JWT and access token are time capped at 1 hour, which isn’t long enough for the service to run, and there’s no refresh tokens.
I was just wondering if I’ve missed any other flows that would work well for this situation? Or whether our options are to:
- Trust the client with the client secret and allow it to generate it’s own access tokens as they’re needed
- Tie the application to some kind of user, either create a bot user for it or have the auth flow require a user to authenticate for the application (authorization code with PKCE) and get an access token and refresh token. Though the application itself doesn’t do anything on behalf of a particular user.
Any thoughts would be much appreciated.