Hi,
my team is building an API with SSL two-way authentication.
We have a couple of partners that are going to consume our API.
We have designed our API in such way we identify the partner caller by the digital certificate used on SSL connection.
So each partner must have its own digital certificate, that is linked with an identity in our database.
Now the trouble.
Our partners are not in the TI business, so they will hire other companies to develop the systems that will actually consume our API. Let's call these hired companies as intermediaries.
Moreover, each intermediary will build a single system to be used by a couple of partners.
So we have something like partners p1, p2 and p3 using the system sA developed by intermediary iA, and partners p4 and p5 using the system sB developed by intermediary iB.
My company has no direct business relation with the intermediaries. So at first we would like to ignore them in our architecture.
Therefore, what we are currently asking from intermediary iA, for example, is "when your system sA invokes our API on behalf of p1, use a digital certificate specific for representing p1; when your system sA invokes our API on behalf of p2, use another digital certificate specific for representing p2".
It would be nice for us, but we are not confident that this is the right way.
Maybe we should identify the intermediaries in our system by the certificate on SSL connection and just let, for example, sA say "I'm invoking your API on behalf p1", given that we already registered that sA is allowed to invoke us on behalf of p1, p2 and p3.
Another path could be something like OAuth. But I'm not sure if OAuth itself would be exactly the path, since we are not interested in exactly authenticate the end user, but the partner that is invoking us (i.e. we do not need an identity for each end end user, but only an identity for each partner).
So I would like to hear of you what would be the best market practices for such scenario.
Thank you!
Leonardo Leite