I’m considering an OAuth 2.0 scenario where the OAuth client is a web service:
user –> web service client (AJAX app on a browser) –> web service (OAuth client) –> web service (OAuth resource server)
However, I’m unable to map this scenario into any of the scenarios/use cases described in the OAuth 2.0 draft 22 or in the “OAuth use cases” draft.
Are there any references (e.g. docs, posts) regarding this kind of application?
Adding some names to clarify the discussion
user –> C (e.g. AJAX app) –> Service1 (OAuth client) –> Service2 (OAuth RS)
The AJAX client could use the implicit grant type to get an Access Token (AT) directly from the Authorization Server (As)’s authorization endpoint. This grant type is an optimization of the more well known authorization code grant type, i.e., three legged OAuth. (Browser based JavaScript clients can’t keep secrets, so there I no sense making them exchange a code for an AT.) Then the Web service which, in this arrangement would be a Resource Server (RS), would exchange the AJAX client’s AT for a new one using IINM the client credentials grant type by sending it to the AS’s token endpoint. It would then send this second AT to the downstream service (also an RS). If the first AT is a bearer token, both services trust the AS, and the second service doesn’t need info about the first service in the AT, exchanging tokens isn’t needed.
HTH!