User login in a B2B scenario

Question

I'm familiar with the standard OAuth flows and how to implement/use them in standard settings (OAuth server, resources and client applications owned by one entity).

Now when considering the following setting:

• Backend services owned by "us"
• New customer (B2B) which wants to use their active directory/Azure Active Directory/etc. for their employees, so they don't have to manage user data on our side/using our systems
• Users use either a native app or a web application (Angular)
• Currently, we are creating JWT tokens on the backend and return it back to the client

So how could I log in these users?

My first suggestion would have been to take the user credentials, send it to the node.Js backend as usual, and then "forward" it to the external server to retrieve the access and refresh token, keep them and create new tokens for the communication client<->node.js server.

However, this would violate some OAuth principles I guess.

Is there any way to accomplish that without investing significant effort into integrating services like Auth0(Multiple Organization Architecture) or Okta or at least without forwarding to "external" login pages on the user's device?

Answer 1

To solve this needs some investment and to use a proper Authorization Server (AS) that supports federated logins.

Key things to aim for:

• You want to be in control of your own tokens issued and claims / scopes used for authorization

• Meanwhile end users should be able to sign in via many methods - in your case the AS can initiate SAML / OIDC connections - eg to Azure AD, without requiring any code changes in your apps.

There are some good free / low cost options, such as Curity Community Edition, which supports many authenticators.