We have a web application which we already use SSO for so that users can access the user-interface without having to login again. We are good with that part.
The next requirement, is how to solve this at the API layer as well. What I mean by this, is the following scenario:
User is logged into their internal company application
That application makes API calls to our web application to perform various actions
The request is that these API calls are authenticated as the user, so our web application knows which user is triggering the API calls
In reviewing some of the documentation, there are lots of different protocols and terms thrown around and I am not sure which of these I should be looking into to solve this.
On our side our API does work off OAuth, but if we need to change the authentication we use on our side we are open to doing so.
I’ve tried Googling this, but am unsure exactly what to even search for – so hoping someone here can help point me in the right direction.