After some extensive research, I still don't know how to properly implement the following case. I think this question answers something similar, but I'm not 100% sure (should the client have access to the third party API access token?).
Let's say that I have my resource server (my-api.com), my identity provider and my authorization server (my-idp.com) and that I have an application client (native or browser) (com.my-app).
The standard use case is implemented with the authorization grant flow.
I now have a new use case, where I have to request data from a third-party resource server (other-api.com). The third party also has an identity provider and offers OAuth 2.0 authorization and OpenID authentication workflows. Third party resource owners must give their consent to my request so that I can request their data and use it further in my request.
My questions are:
Is the name stream what I need? It seems to be for two APIs that I control, not for third-party APIs.
How to manage the third party access, update and identification token to make requests on behalf of the resource owner?
- Can I store third party tokens on my-api.com and add them to each request I make to request data for my user?
- Can I store third-party tokens on my-idp.com alongside my user information?
- I could send the third party tokens to com.my-app, which would give two tokens for each party. It seems annoying.
I would opt for option 2 and extend the functionality of my-idp.com. Is this a valid approach? My API my-api.com would then collect third party tokens before making requests on behalf of my user.