When implementing applications that access OAuth2.0 protected APIs there are few recurrent questions asked by different parties. Before diving into the those questions, lets brush up on the for different OAuth2.0 grant-types and their usages.
- Authorization Grant - Typically used by 3rd party web applications. They can obtain an authorization code that can be used to get an access token.
- Implicit Grant - Typically used by mobile phones and single page applications to obtain an access token.
- Username/Password Grant - Typically used by trusted applications by clients. For example, the applications within the same organization as the the API provider can use this approach to obtain an Enduser access token.
- Client Credential Grant - Used to get an application access token.
You can read more about these at https://tools.ietf.org/html/rfc6749
Now lets look at the common questions raised by some application developers.
Q1 - My application must do SSO with SAML2.0. It should also access APIs without requesting the end users to login again.
Additionally there is freedom to design and implement different grant-types. One of the first grant-type is OAuth2.0 SAML2.0 bearer token. This allows an application to obtain an access token by presenting the SAML token, so this answers your Q1.
Q2 - My web application should access 3rd party APIs as the end user. How can I obtain an access token to call the APIs?
When 3rd party APIs needs to be accessed, redirect the end user to the 3rd party auth server to get authorization code. This means the user has to first authenticate to your app, and then authenticate to the 3rd party auth server. Or else you can obtain an application token using client credential grant-type, but in this method the application is not accessing the APIs as the end user.
Q3 - I don't want my application to maintain multiple OAuth access tokens for the same API provider. Is this possible?
For the same provider you can access multiple APIs using the same OAuth2.0 tokens. This is inbuilt into API provider platform by default, mos of the time