How to delegate two factor for OneLogin's Cloud Directory?

Question

Cloud Directory API contains a number of useful APIs. But the documentation suggests that login should be handled with hand written login pages. This is a big hassle.

Is there no way to use Cloud Directory API with delegated login pages? Is it possible to convert a SAML token or OpenID Connect token into an oauth2 token (which both support delegated login)?

Answer 1

One way to go about this would be:

1. Use OpenID to authenticate users, since it supports delegating the login screen
2. Store a OneLogin API secret & id on our server, which allows us to call all the Cloud Directory APIs without having a user's access_token

Although this may not satisfy the principle of least privilege (since we have to give our server readall permissions).