Im currently trying to implement Steam Authentication for a Spring Webflux REST Api and I want to use JWT. My problem at the moment is to understand how the Steam OpenID login works. Normally I have to provide a client-id and a client-secret, but for Steam I only have the API Key and the provider url. Also I´m a bit confused how I check on my API if the login was successful, because (if I understand it correct) the step of oauth where my API can verify the key, provided by the client, on the Provider API is missing and I have to trust the Client.
I don´t understand how I authenticate my user with this API if I can´t trust them and how other sites made this.
I don´t know if I´m just totally wrong but I´m stuck at this. I tried to implement it by this guideline because I use Webflux: https://docs.spring.io/spring-security/site/docs/5.1.0.RELEASE/reference/html/webflux-oauth2.html
Hopefully somebody can help me
