Can anyone point me in the right direction regarding the following use cases?
We are building a classic web application for browsers with some elements of single page apps. This web app is going to use OpenID Connect to allow users to sign-in with a third party identity provider (IdP) using the authorization code flow.
The result of signing in is that the application gets a signed ID Token (JWT) from the IdP. After signing in, the application knows who the user is by their username.
Next step is that the web-application (server side) needs to interact with our back-end system via its HTTP/REST API. The back-end has its own user register with user names matching those from the external IdP.
As of now, the REST API allows OAuth2 authentication with user credentials grant (username + password). But ... tada ... the new web application does, by design, not have the user's credentials.
Question (1) - how does the web application authenticate with the REST API as the current user, without knowing said user's credentials?
Question (2) - what specs cover this scenario?
Current idea for a solution: pass the ID Token to the REST API as user credentials and let the REST API do the same JWT verification as the web application does.
Second scenario: as above, but this time the web application is replaced with a native mobile application using OpenID Connect to sign in (by opening a built-in webview) and then accessing the REST API directly from the mobile client.
Kind regards, Jørn Wildt