Scenario: We are exposing web API to pre-registered applications. This API is publicly exposed, but should be available only for registered applications (clients). For this we have chosen OAuth2 Authorization, and the resource server accepts bearer tokens from the authorization server.
We are using Thinktecture IdentityServer v3 for OAuth purposes.
We have chosen OAuth2 client credentials flow, and sharing the secret with server based applications. Until this it is all good. Now we have a native iOS mobile app that needs to access our protected API. We read that it's not a good idea to share the secret with javascript/mobile apps.
Also importantly the iOS mobile app has its own identity provider (ADFS). So before requesting the token from authorization server, the user must have already logged in to the iOS app.
Considering this scenario, could you please suggest how the resource server can trust this iOS native app? We thought of using the implicit flow. But because of the fact that iOS mobile app has its own authentication, the authorization server needs a way to determine that the incoming request has already been authenticated using an external identity provider, and issue an access token automatically to the iOS app.
How do we make the authorization server trust the external identity provider and issue an access token when a request comes from that iOS app, instead of redirecting the user to Authorization server login page?
Is a single resource server able to accept tokens from multiple Authorization servers? If not, why?
