-
|
We have a new, somewhat untypical use-case that we are unclear how best to implement with We have unauthenticated clients that need to consume an authenticated API through a reverse proxy with flowchart LR
Client--unauthenticated---Proxy[Reverse Proxy with mod_auth_openidc]--authenticated---API
One idea was to use an OIDC Client Credential Flow on the reverse proxy for this but it does not look like Is there a way to achieve this with Also, are there any general issues with this approach, aside from the fact that an authenticated API is exposed without authentication? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
mod_sts using the Client Credentials exchange type supports that scenario, see: https://github.com/OpenIDC/mod_sts?tab=readme-ov-file#oauth-20-client-credentials-cc; one could consider this an OAuth-flavored alternative to using a service credential to talk to downstream services where in the past basic authentication or a client certificate would be used, which is why it was added to mod_sts (on user demand); I don't see an issue with that (as long as the access token scope is restricted). |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the quick reply, we will give mod_sts a try! |
Beta Was this translation helpful? Give feedback.
mod_sts using the Client Credentials exchange type supports that scenario, see: https://github.com/OpenIDC/mod_sts?tab=readme-ov-file#oauth-20-client-credentials-cc; one could consider this an OAuth-flavored alternative to using a service credential to talk to downstream services where in the past basic authentication or a client certificate would be used, which is why it was added to mod_sts (on user demand); I don't see an issue with that (as long as the access token scope is restricted).