I'm having trouble finding implementation ideas / guidance / examples for an authentication system that has the following properties:
- Allows a third party to carry out actions on our platform on behalf of a user.
- Allows a user of the third parties application to carry out actions on our platform directly.
- The user always authenticates with the third party.
- The user never directly authenticates with the platform.
I'm looking for a well defined specification to implement, in the same way that the OAuth2 spec defines how a resource owner may grant access resources to a third party.
An example of the type of authentication system I'd like to implement is the Braintree API and their use of Client Secret + Transaction Nonces.
https://developers.braintreepayments.com/start/overview#how-it-works