We are planning to create an identity and access management system for one of our application and using Stormpath made a lot of sense interms of ROI, given that one of the decision is to have the IAM system abstract the Stormpath, so incase required we can replace it with an alternate(custom or another SaaS).
Please let me know if the below flow is technically feasible.
Login) Client ---Password Grant--> My IAM --Forward--> Stormpath Server --Token--> My IAM --Forward Token--> Client
Authorization) Client --Token--> My IAM --Forward--> Stormpath --Result--> My IAM --Forward--> Client(Success/Failed/Refresh)
Logout) Client --Token--> My IAM --Invalidate the Token--> Stormpath --Token invalidated--> My IAM --Logged out--> Client
The Grant type as of now is going to be password_grant as we are authenticating our REST services and are not providing APIs for 3rd party applications
Stormpath supports this through the Token Management / Validation API.
This is documented in depth here: https://docs.stormpath.com/guides/token-management/
If you are already implementing OAuth endpoints, you can forward those requests to your Stormpath Application's /oauth/token endpoint and Stormpath will generate a OAuth 2.0 compliant Access Token and Refresh Token with configurable expiration times.
Validation is also supported for authorization: https://docs.stormpath.com/guides/token-management/#validating-access-tokens
Some other nice features that you can leverage through the API as well are refresh Access Tokens (with the Refresh Token) and revoking the tokens.