Hy, I want to ask if there is any possibility to have 2 types of authotization in the same API, for 2 separate endpoints, one to use client_credentials and the other to use authorization_code? The code is in RAML.
Asked
Active
Viewed 64 times
1 Answers
1
Short answer: Yes, it's possible.
The API should only care about the access token (JWT) & claims (user id, etc.) returned from your auth provider, not the authentication method. (unless it's a business requirement)
User can authenticate himself via a login flow and the receives an authorization code, which is then exchanged for a access token. This is authorization_flow in essence.
Or the request can be authenticated using client id + secret and uses the received access token (client_credentials flow). This access token doesn't contain a user claim (because it's usually done in a machine-to-machine communication).
So unless the API relies on user claims being present in access token, it doesn't matter how you retrieve the it, as long as it's valid.
abdusco
- 9,700
- 2
- 27
- 44