APIs that Consume APIs - JWT Bearer Grant Type

OAuth protocol has provision to design custom grant type in addition to the four grant types that are mentioned in the specification. SAML grant type is of the first grant types that came out as an extensions and many IdPs support this. Many IdPs allow to write plugins that enable other custom grant types, and among the most popular grant types are,

• Biometrics - Here the biometrics such as your fingerprint or retina scan is used obtain an access token. This is pretty useful for mobile apps.
• JWT - Here a service that has a JWT token may use it to obtain a access token to access another API

Here is a scenario for JWT grant type.

You are writing a service that allows employees to report time that they spend on customer work. Your service has received a JWT token so it can do authorizations.  One of the methods in the service is as below,

reportTimeForCustomer(String clientId, String ticketId, int durationInMinutes) {}

First of all, authorization checks happen based on the JWT and the next step is to validate clientId and ticketId before proceeding. There is a CustomerAPI and TicketAPI that can perform validations.

But both of these APIs are OAuth protected. How do you proceed? How would you obtain an access token to access this service. You have several options,

• You can take an application token
• You can take an access by presenting the JWT token as mentioned above

Applications Accessing OAuth Protected APIs

When implementing applications that access OAuth2.0 protected APIs there are few recurrent questions asked by different parties. Before diving into the those questions, lets brush up on the for different OAuth2.0 grant-types and their usages.

• Authorization Grant - Typically used by 3rd party web applications. They can obtain an authorization code that can be used to get an access token. 
• Implicit Grant - Typically used by mobile phones and single page applications to obtain an access token.
• Username/Password Grant - Typically used by trusted applications by clients. For example, the applications within the same organization as the the API provider can use this approach to obtain an Enduser access token.
• Client Credential Grant - Used to get an application access token.

You can read more about these at https://tools.ietf.org/html/rfc6749

Now lets look at the common questions raised by some application developers.

Q1 - My application must do SSO with SAML2.0. It should also access APIs without requesting the end users to login again.

Additionally there is freedom to design and implement different grant-types. One of the first grant-type is OAuth2.0 SAML2.0 bearer token. This allows an application to obtain an access token by presenting the SAML token, so this answers your Q1.

Q2 - My web application should access 3rd party APIs as the end user. How can I obtain an access token to call the APIs?

When 3rd party APIs needs to be accessed, redirect the end user to the 3rd party auth server to get authorization code. This means the user has to first authenticate to your app, and then authenticate to the 3rd party auth server.  Or else you can obtain an application token using client credential grant-type, but in this method the application is not accessing the APIs as the end user.

Q3 - I don't want my application to maintain multiple OAuth access tokens for the same API provider. Is this possible?

For the same provider you can access multiple APIs using the same OAuth2.0 tokens. This is inbuilt into API provider platform by default, mos of the time