we talked about this problem briefly when we met in Vienna.
I need to realize this situation: https://www.scottbrady91.com/img/oauth/full-delegation.png
Client accesses API1 with sub=alice. API1 then needs to access API2 to fulfill the request but on behalf of alice. how can I pass this information to API2?
I could use Poor Man's Delegation, but that would be dirty and might have serious security flaws as API1 might get more scopes than it actually needs.
Using Client Credentials grant would have me lose the information that API1 acts on behalf of alice. So what is the gluu-way to achieve this? Is this solvable using UMA? Or do I need to hook a script into the process? If so: where?
Sorry, I could not explain it in a better way!
Thanks in advance :-)