I am still trying to understand the OAuth2 flows and how it all works together, so apologies in advance if this example is confusing.
The way I understand the OAuth2 authorization flow is:
- User goes to a url for a website (www.somesite.com)
- User is redirected to an authorization server, like PingFederate, where the user will authenticate.
- Once authenticated, the user will be redirected back to the initial site with an authorization code.
- etc...
Here's where my situation is different. I cannot redirect my users to an authorization server to log in because my company uses a third-party application framework that authenticates users to a proprietary database. Therefore, my users are already authenticated. Also, my users will never need to allow another application to access their contacts, etc... like all of the OAuth2 examples I've seen.
But, I still need to request authorization tokens (in my case, JWTs) that are individual for each user so that they can pass the token to services that may be called from my primary web app.
The Client Credentials flow doesn't seem to make sense to use because as I understand it, it's more of a machine-to-machine flow.
What flow can I use that will allow me to request authorization tokens from my auth server that contain user-specific attributes?
If you trust your client app from security point of view then you can use
Resource Owner Password Flow. Your client code/app has to take user credentials and submit it to authorization server with other details require for this flow. The authorization server will issue a oauthaccess token. If you want oauthauthorization serverto issueJWTthen you've to implement some code to enhance access token.