0

I want to design an api which an organization is going to use to connect with my server. For a client-server application, a simple jwt-based authentication is done by verifying user credential and generating a token for them.

My question is what should be the process for authenticating another system? How that organization is supposed to receive the credential required to get the authentication token? Like, should i define some static values and tell that organization to use them for authentication? What is the best practice?

Demento
  • 7,249
  • 5
  • 36
  • 45
Ju Bc
  • 103
  • 2

1 Answers1

1

You already tagged your question correctly with the oauth tag. There is an OAuth 2.0 flow specific for machine-to-machine communication, called Client Credentials Flow. Details can be found in RFC6749, section 4.4.

The initial authentication takes place using a pre-shared key, called client-secret. OAuth 2.0 doesn't specify a token format, so any sufficiently complex static value (e.g. a random 512 bit string) will do. After successful authentication, the authorization server provides the access token to the system requesting access. This access token, which is used as a bearer token, is used to connect to the target APIs.

Community
  • 1
Demento
  • 7,249
  • 5
  • 36
  • 45