I am still trying to understand the OAuth2 flows and how it all works together, so apologies in advance if this example is confusing.
The way I understand the OAuth2 authorization flow is:
Here's where my situation is different. I cannot redirect my users to an authorization server to log in because my company uses a third-party application framework that authenticates users to a proprietary database. Therefore, my users are already authenticated. Also, my users will never need to allow another application to access their contacts, etc... like all of the OAuth2 examples I've seen.
But, I still need to request authorization tokens (in my case, JWTs) that are individual for each user so that they can pass the token to services that may be called from my primary web app.
The Client Credentials flow doesn't seem to make sense to use because as I understand it, it's more of a machine-to-machine flow.
What flow can I use that will allow me to request authorization tokens from my auth server that contain user-specific attributes?
What flow can I use that will allow me to request authorization tokens from my auth server that contain user-specific attributes?
If you trust your client app from security point of view then you can use Resource Owner Password Flow. Your client code/app has to take user credentials and submit it to authorization server with other details require for this flow. The authorization server will issue a oauth access token. If you want oauth authorization server to issue JWT then you've to implement some code to enhance access token.