The OAuth 2 spec leads me to believe that the "resource server" and "authorization server" do not necessarily have to be the same application but I'm struggling to figure out how this is actually implemented in practice.
As an example, suppose the following apps exist:
Scenario #1: Logging in to web frontend
Scenario #2: Authorizing third-party app
The part I'm having trouble understanding is how to authenticate the user before showing the allow/deny form in scenario #2. The user may be logged into the main web app but the auth service has no idea about that and would somehow need to authenticate the user again. Does the auth service need to support login/sessions as well?
I'm wondering if it might make more sense for the web app to be responsible for showing the allow/deny form for two reasons:
Here's one possible alternative to scenario #2:
What's the best way to handle this? Any general comments, advice, etc. would be awesome!
Thanks
OAauth2 framework docs : https://tools.ietf.org/html/rfc6749
(A) The client requests an access token by authenticating with the authorization server and presenting an authorization grant.
(B) The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token and a refresh token.
(C) The client makes a protected resource request to the resource server by presenting the access token.
(D) The resource server validates the access token, and if valid, serves the request.
(E) Steps (C) and (D) repeat until the access token expires. If the client knows the access token expired, it skips to step (G); otherwise, it makes another protected resource request.
(F) Since the access token is invalid, the resource server returns an invalid token error.
(G) The client requests a new access token by authenticating with the authorization server and presenting the refresh token. The client authentication requirements are based on the client type and on the authorization server policies.
(H) The authorization server authenticates the client and validates the refresh token, and if valid, issues a new access token (and, optionally, a new refresh token).