I am trying to find the best way to solve the following problem: our application is SaaS, and it supports SAML for web login. The application also exposes REST APIs that are supposed to be used in automated and unattended processes, meaning there is no interactive user to type credentials. We need to allow developers to programmatically authenticate the unattended process against the relevant IdP (which is already defined, because the same credentials used for API access can also be used to access the web application).
The flow I imagine is as follows: the program authenticates using a dedicated API, gets a token and uses the token for the next calls.
Most of the answers I find when searching for best ways to secure REST APIs suggest oAuth, which normally requires an interactive user, because they discuss an interactive application tryign to access REST APIs in other system on behalf of the user, who is there to type in the password. Is oAuth the answer for my challenge as well? If so, what is the flow?
Thanks!
Indeed OAuth 2.0 can be used for this use case because it allows so-called clients (i.e. your unattended processes) to obtain an access token granted by developers and use that token against your APIs.
A typical flow to use here is the code flow: you would run an Authorization Server that issues tokens to clients if consented to by developers. Developers would login to the Authorization Server using SAML Web SSO.
Note that it does not require an active user at the time of accessing the REST API, but it would require one at the time of token issuance. I believe that is what you are actually looking for. If not, there are other flows that can be leveraged that don't require an active user at all, but I believe they are not suitable for this particular use case; after all you want the clients to operate on behalf of the developers.
Your Authorization Server may also issue a refresh token to the client in addition to an access token so that upon expiry of the old access token, your client can get a new access token from the Authorization Server using the refresh token, without having to (interactively) involve the developer again.