-1

I am new to Spring Boot and I am going to develop a Card issuance System (Micro-services based) I have two types of users that will request protected resources of the system.

  1. Admin users (Uses REST API & React App)
  2. Third party (Microfinance bank that will request card issuance for their users via REST API)-(Server)

I want to use the Oauth2 protocol for these users for authentication and authorizations. I am using microservices-based architecture for the card system in spring boot. I have read the Spring Boot documentation for the Authorization server and I am not able to decide which flow/grant type should be used for these users.

I have seen the redirection of web users to the login page and consent page in documentation and I have REST API clients and I can not redirect the users and show them the consent page for both types of users (I don't want that either). Please help decide if Oauth2 is suitable for this scenario. If so, how can I customize the Authorization server, resource server, and Oauth2 client service to fit my requirements? Please help me with this and let me know if you want more explanation of my requirements. Thanks

I have configured the Authorization server of Spring boot and Resource server and I was able to get token using the client_credentials flow, that flow is intended to use for the server-to-server communication and not for Admin users. What I wanted is to get access_token and refresh_token by REST API client (Admin user and Other Third-party(Bank)). Differentiate these clients based on user types and don't want to use the typical login page and consent page.

dur
  • 15,689
  • 25
  • 79
  • 125
Adil Bhatti
  • 1
  • 1
  • Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Aug 08 '23 at 15:30
  • I think instead of asking the community whether OAuth2 is right for your use case, you might be better served learning what use cases OAuth2 is designed for (which there are many good resources to help you learn). Also, what is missing from your post is how you intend to log users in. Without knowing what your authentication might look like (since you're stating that you don't want to use a login page or consent screen), I'm not clear how admins log into your system. Having said that, since you don't want a login/consent screen I'm fairly convinced OAuth2 is not a good fit for you. – Steve Riesenberg Aug 10 '23 at 19:11
  • So I want to login users (Admin, etc) through an API e.g: POST /login. Mostly there will be first-party apps (Probably in Reactjs and Android, IOS) that will interact with the system, only one thirdparty service. Thanks @SteveRiesenberg – Adil Bhatti Aug 11 '23 at 04:20
  • First-party authentication via an API is generally an alternative to OAuth (meaning they are not really complimentary). The closest you get is with the `password` grant in OAuth 2.0, but this grant type is currently removed from OAuth 2.1 draft and is not recommended. So I would say OAuth is probably not a fit for you. – Steve Riesenberg Aug 17 '23 at 15:21

0 Answers0