Actually we have an application which is also an OAUTH2.0 application and we have exposed lot of APIs which our customer are going to use without any manual intervention.
Earlier we are doing authentication using our own /token API internally but now one of our customer is asking for SAML 2.0 support, and for that i did research and found that SAML 2.0 work well with only Web part.
So we want some way so that when our customer is using SAML 2.0 he should also able to authenticate(/token) and also use our APIs as well but as with SAML 2.0 all the authentication mechanism and credentials detail are moved to the IDP server.
So we planned to use OAUTH2.0/OIDC APIs to get authenticated on IDP server, and lot of our customer did automated cases where they already provided the credentials and they don’t want any manual intervention.
For that reason we came up to use grant_type=‘passoword’ and we decided that we will ask user to enter the OAUTH2.0/OIDC ‘/token API’,Client ID,Client Secret and scope on our application before using the APIs.
Here we need grant_type=‘client_credentials’ so that i can validate that details entered by user
is correct or not after connecting to it using RESTClient in the backend, if details are valid
then store them otherwise return error message.
how authentication will perform
User will hit our own /token API with username, password and grant_type=‘password’ and inside our /token APIs we will create a REST Client where we create a call to OAUTH2.0/OIDC /token API by taking information which we asked user on our application and username and password is given by user during /token call.
In that way we will create one request and hit the OAUTH2.0/OIDC /token API, if the response for that call is 200 OK we assume that user is valid and will do some processing in our application.