I am developing a browserless app that needs access to two APIs - an Application API (read-only, e.g remote configuration) and a User API (read-write, e.g user preferences).
The app has the Client ID and Secret stored locally and therefore takes advantage of the Client Credentials flow to access the Application API. Now I need users to be able to access a User API and I'm wondering how to configure the backend (which in this case uses IdentityServer4) to do so. The API should be protected so that only authenticated users can access it and am planning on reading the Claims sent to identify the user.
Should I extend the existing Client ID to also allow the Device Flow grant type or create a separate Client just for this "user-only" flow?
I'm new to OAuth and want to make sure I'm doing this right so everything is kept secure.
Always use different OAuth clients for different client side connections, which will give you more control:
It is usually easy to easily configure multiple clients in the Authorization Server via a Management UI.