This is a long shot, but I'm in dire need of advice. If you know of a more appropriate community for this type of question please share!
I'm working with a legacy OAuth system using email + password grant type (deprecated, I know: it's out of my control).
I have to somehow connect this authentication service with a database backend for which I have an API key for.
Ideal flow
- User logs in with OAuth service with email + password, gets access token
- User sends backend request to some middleware, which does introspection / validates access token
- Middleware appends API key to request header to retrieve backend data
Things I've considered
-
Traefik instance + auth forwarding
This seems to expect authentication to be done in the middleware rather than passing and introspecting an access token. Also the OAuth service's introspection endpoint requires client ID and client secret as documented here -
Ory Oathkeeper
This seems to expect arguments which would be used for regular OAuth2 redirect flow, such aspre_authorization.