· Sep 14, 2021

P2P OAUTH Recommended Flow


I'm hoping to get some feedback on the OAuth process flow for Payer-to-Payer authorization.  It doesn't seem that "Authorization Code Flow" is needed as there will not be a need for a login.  I am leaning towards recommending "Client Credentials Flow", but wanted to get some community feedback before making a decision. I prefer to follow what the standard will be if possible.  What would you recommend?  Thank you in advance for your input.

Product version: IRIS 2021.1
Discussion (2)1
Log in or sign up to continue

Hi Joseph, I agree on using Client Credentials for this use case. As far as I know this is the only OAuth 2.0 grant type that authorizes server-to-server communication without the context of a user agent logging in. You can implement this in InterSystems IRIS by overriding the ValidateClient() method of the OAuth validation class:

One thing to keep in mind is that by default anybody can register a new client with your authorization server by using the dynamic client registration endpoint. So the presence of a valid client isn't enough to authorize the API call. You will need some additional authorization logic.