1

We are tasked with building a WebAPI for a distribution company with a handful of re-sellers who already have websites of their own.

Re-sellers accept orders from their own customers through their own webservers. After an order has been validated, re-sellers want to automatically forward the order's data to the distributor. The re-seller's webserver would send a Request to our WebAPI with authentication and order data - there would be no user interaction for this.

I'd like to know if OAuth can be used for authenticating requests from a re-seller's website. Most everything I've read about OAuth seems to focus on a User interacting with a login, but our scenario is mainly machine-to-machine.

If not OAuth, what is the "typical" authentication mechanism of choice for machine-to-machine type communications?

BRGMH
  • 11
  • 4

1 Answers1

0

There are 4 different grant types in OAuth2. The one that is most suitable to your use case is "Client Credentials" grant type.

The RFC 6749 states:

Client credentials are used as an authorization grant typically when the client is acting on its own behalf (the client is also the resource owner) or is requesting access to protected resources based on an authorization previously arranged with the authorization server.

Note the phrase "on its own behalf" as opposed to "user's behalf".

In this flow the client directly gets the access token from the authorization server by providing the appropriate client id and client secret.

Community
  • 1
  • 1
Saptarshi Basu
  • 8,640
  • 4
  • 39
  • 58