I have a web application (SPA), which we'll call A. This application calls an API service (that I control), which we'll call B. Service B uses OAuth authentication, and trusts an issuer I.
In my scenario here, there is another API service C (which also uses OAuth authentication and trusts issuer I) that I do not control. In some circumstances I need service B to call service C in response to a user's request from A to B. I can see two (obvious) options here:
As far as I can tell, it is not possible to request and access token that applies to both B and C, because they are separate resources (not simply different scopes in the same resource). It seems to me that this would be a very common scenario; if my API service needed to make requests to a blob store (i.e. Azure blob storage or S3) on a user's behalf, or requests to a database server?
Is there a third scenario that I do not know of, or is one of these the correct approach?
The key search phrase for this kind of situation is "downstream API". It is handled by OAuth's "on-behalf-of" flow. It is implemented by the IConfidentialClientApplication
interface in ASP.NET, and documentation can be found here: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-web-api-call-api-app-configuration?tabs=aspnetcore