REST API to API authentication with Authorization Server

Question

I have basically 3 types of applications, firstly I have an authorization server (AuthServer), a Resource Server (ResServer1) and a website. So basically all calls to the ResServer1 from the website are authenticated using a Bearer Token to the AuthServer, which is also passed in the request header. The AuthServer is based on authorization type of ResourceOwner, which means a user in order access a protected method, needs to authenticate with a username password

The issue I have now I need to introduce a new Resource Server (ResServer2) which will make calls to resources in ResServer1. The problem is authenticating from a system to a system call since the ResServer2 service is not a user. What is the best way to authenticate another service?

Answer 1

In that kind of scenario, there exists a client_credentials grant type where your ResServer2 would become a consumer as well as a resource. So the recommended way to do this would be to set it up like that but in that case your ResServer2 would not have any user context.

I have faced a similar scenario where we had a lot of legacy code depending on user context and changing the entire authorization mechanism to policy based was not an option and I am not saying this approach is good, but we basically set up our website to request the scopes for both ResServer1 and ResServer2 and then once the user logs in and then front end requests protected data from ResServer1, the ResServer1 whenever it needs to request protected data from ResServer2 would just reuse the same bearer token that was passed in the original request from the WebApp.