I have an Application A which authenticates with IDP via SAML-SSO. This application has some APIs that need to be secured. Now there is Application B that needs access to the APIs of Application A.
Now to access the Application A's APIs it can generate give client_id & secret to Application B which they can use to call the Application A's APIs. While calling the APIs Application B needs to send information related to user that has a session in Application A. How can this be secured?
Approach 1 - Authenticate both applications with same IDP so both applications will know which user is logged in and for API access give client_id and secret to Application B which it will use. But this API security is going to be separate from security that IDP is providing.
Approach 2 - Figure out a way to use the security provided by IDP for securing the API calls from Application B to Application A.
Business is preferring the Approach 2 but I am not sure and confused how the setup should work.
I'm looking for more clarity on how systems like these are implemented while maintaining high standards of security.
Flow for user - Login to application A -> Clicks on link (Go to application B) -> Application B calls some APIs to fetch data from Application A by using some user information -> Application B sends the user back to Application A after collating the data.
Any help is greatly appreciated.
