OpenID Connect / oAuth: How to allow OpenId Provider to access user's data at the Relying Party (Client) side

Question

We're planning integration between two services: A and B.

The service A is going to be an OpenID Provider, the service B relies on it to log users in and create new accounts.

The service A also provides access to its resources via REST API using OAuth authorization, the service B uses the OAuth Access Token obtained via OpenID Authorization Code Flow.

However, there are some cases when A wants to get data from B. There is an established agreement between these services, that A can access any data from B in the scope of a user that was created via OpenID Connect.

How could I design authorization for the service B API? What could A provide to B in an HTTP request?

I'm considering things like a classic API Key, but it doesn't look natural in this workflow.

Answer 1

There are no direct solution to your mentioned scenario from OAuth and OpenID Connect protocol perspective.

But from what you have explained, you have OAuth 2.0 access token protected services in service A. Also, A acts as an identity provider (with OpenID Connect support). If this the case, I believe you control token issuing process and validations.

One options is to enable services from B , which are protected from OAuth 2.0 access tokens. Which is similar to what you already have in A. And to consume those services, you will have some service/client implementations bound to A. What they would do is obtain tokens from A itself to communicate with B. This can follow client credential grant from OAuth 2.0 as there is no end user involvement (scenario involve service to service interaction).

This suggested solution is similar to API key usage but with added benefit of OAuth 2.0 protocol.This allows you to generate Access tokens with limited life time and allow refreshing them if required. Also, in case you want B's services to be consumed by another client, then things are straightforward.