Sharing OAuth Credentials Between Distributed Services

Question

Our OAuth server will be separate from the servers handling actual protected resources, in essence sitting in the middle of a few different systems that each hold protected resources.

For example the login page will be in one of the systems.

What should be the procedure when an authenticated user in one system goes to the other system? Since it is authenticated it should just go through, but what does OAuth do, and ask for, in this scenario?

Thank you

Answer 1

OAuth doesn't explicitly say anything about this scenario. But from an API design perspective I would:

• Have ONE API endpoint with the different services specified in the path. Such as http://api.example.com/service1, http://api.example.com/service2 etc.
• Have that one endpoint handle OAuth and querying of the separate services in the background.

If you go for having transparent "separate systems", such as http://service1.example.com and http://service2.example.com you can. But make sure to have ONE domain for handling the entire OAuth flow and that each of the API endpoints is capable of handling OAuth requests and have access to the necessary user and token databases to verify requests.

To give you an example, you can:

1. Receive an OAuth request to http://service1.example.com.
2. If service1 has access to the user and token databases you can verify the request immediately.
3. Or you can forward the request to your OAuth service for verification.
4. And the proceed with serving a response

Or my alternative (which I think is better):

1. Have ONE API endpoint that handles OAuth
2. And after verification calls the different services in the background.