oauth 2.0 - Confused about which type of OAuth2 flow to implement for our web app to web app communication -
we have small .net mvc legacy website trying implement oauth2 for. here's how works: website has no user accounts. so, no login required - no authentication performed. instead requests sent controller method. these requests consist of encrypted parameters, received, decrypted, , webpage displayed. "client" (a wep app) sends these requests has unique encryption key , iv provided them. of course trust them keep information "secret". if there actual resource owner in scenario, seems actual "client app" request coming from.
alas, time has come make process little more secure. there many articles oauth2 flows , client credentials flow seems fit use case, typically information regarding flow suggests "client app" "trusted", , implication of "trust" own "client app". well, don't own client app makes me question if right flow use case. every other oauth2 flow seems best fit accessing resources of resource owner tends user username , password. don't have actual user accounts authenticate usernames , passwords for, leading me right client credentials flow.
furthermore, haven't been able find examples similar our particular use case, web app web app communication client web app not owned us. after reading article: consuming own api web app - authentication process oauth2, client credentials flow not recommended, we're wondering flow recommended.
for use case described above, oauth2 flow think work best?
app app pretty simple. refer older article wrote on subject while ago : https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/. article pretty long , convers lot hence why don't paste stuff here.
all need protect resource server , can issue each client app unique clientid / clientsecret , that's they'll use authenticate themselves.
your clients responsible keeping clientid , secret private, of course.
Comments
Post a Comment