While exposing APIs for integration with 3rd party applications, if the security authorization option falls to OAuth authorization framework then the proper grant to use is the Client Credentials.
One should try to ensure that the partner application is confidential, id est, deployed in a secure environment with restricted access to the application client credentials.
Client authentication is used as the authorization grant, no additional authorization request is needed. The access token that allows the application to consume the resources (under the scope) is generated immediately with no further steps.
Diagram from: https://alexbilbie.github.io/guide-to-oauth-2-grants/
OAuth RFC: https://datatracker.ietf.org/doc/html/rfc6749#section-10.8
Sem comentários:
Enviar um comentário