I am trying to design an authentication schema for a web application having an Angular layer on the client side and SpringBoot on the server. The users of such web app reside within an organization's network, login to their PC's and should use the web app without the need to login via another page requesting credentials.
I've been studying various mechanisms, but the one which follows more the infrastructure on the client is the Authorization Code Grant of the Oauth2.0 framework RFC. The client does in fact have an ADFS4.0 server which will work as an authorization server and reply with a JWT. The above mentioned flow is described in section 4.1, while there are other ones as well which might be useful for other cases.
The flow is clear, but i'm failing to understand one (in appearance) simple fact: How does the authorization server recognize the user? In both requests there is no parameter to include the credentials, while it is presumed that the access_token which they get at the end will contain the claims (username, groups, roles etc). I would prefer staying in this case, but then, in section 4.4 we have another flow type explained where the user inserts the credentials. Still, the requirement is for the user to NOT re-insert any credentials.
One route i was trying to uncover was to recover the user details from its working machine (Windows authentication integration) from the user-agent (client's browser). But it seems it needs configuration on the agent, and not some straightforward one for an end-user. It is also known that the organization domain uses Kerberos to grant access to the users in their network, but i can't see to fit this component in the mist.
So, the concluding question is: how to perform an auto-authentication (hidden to the user) with the profile they've entered the machine? Does the Authorization Code Grant fill this requirement implicitly somehow? Also, do you suggest handling all the redirection sequence directly in Angular or is it better to take advatage of SpringSecurity's integration with OAuth?
