after some extensive research I still don’t know how to properly implement the following case. I think this question answers something similar, but I’m not 100% sure (Should client have access to 3rd party API access token?).
Let’s say I have my resource server (my-api.com), my identity provider and authorization server (my-idp.com) and have an client app (native or browser) (com.my-app).
The standard use-case is implemented with the authorization grant flow.
I now have a new use-case, where I need to request data from a 3rd party resource server (other-api.com). The 3rd party has an identity provider as well and offers OAuth 2.0 authorization and OpenID authentication flows.
Resource owners of the 3rd party need to give their consent to my application so I can request their data and further use it in my application.
My questions are the following:
Is the on-behalf-flow what I need? It seems to be for two APIs which I control, not for 3rd party APIs.
How do I handle the 3rd party access, refresh and id token to make requests on-behalf of the resource owner?
- I could store the 3rd party tokens in my-api.com and append it to every request I do to request data for my user?
- I could store the 3rd party tokens in my-idp.com next to my user information?
- I could send the 3rd party tokens to com.my-app which would result in two tokens for each party. This seems to be awkward.
I would go for option 2 and would extend the functionality of my-idp.com. Is this a valid approach? My API my-api.com would then fetch the 3rd party tokens before it does requests on-behalf of my user.