We have a service which exposes certain functionality using a REST API. The REST API needs a user context to execute its functions. There would be two ways for the API to get the user context
- Using a user access token
- Passing in the user context directly in the request(like userId, no token involved)
Case 1 seems to be relevant when we do 3 legged OAuth where a user access token would be generated.
Case 2 seems to be relevant when we do an internal service to service call, where the user may have been authenticated to the client service using some mechanism other than OAuth, say single signed on using CAS. (So there is no token available for the client service to use when it makes a call)
Given the above two cases, we would need to expose the API in two ways, one that accepts a user context in the request, and one that tries to retrieve the user context based on the access token.
This would however result in any service always having to maintain two ways of accessing the same API. Is there any way around this to avoid having the client from having to implement two mechanisms to access the same API?