This message was deleted.

Looks like you might want to implement some kind of permission system, e.g. Ory Permissions https://www.ory.sh/docs/keto

I already have a permission system in my API and i don't want to replace it for now. Currently my api generates a client object based on the JWT token it receives (like CustomerClient or AdminClient). Theses object contains the necessary IDs to perform permissions checks I need to setup my new authentication layer to be able to map to that system

We have the same requirements but for OAuth2.0 without a solution yet. „Specific user(groups) should only be allowed to use specific OAuth clients“ We have a OAuth client for our app and some OAuth clients for internal systems.

I was thinking about 2 more alternatives: • use metadata to identify users allowed to access the admin part: the user would be logged in the admin app but couldn't do anything, on the backend side I can verify the metadata to grand additionnal permissions • use oauth2 authorization code flow on the admin app, and send jwt to the backend. As the app and ory would run on the same domain, the cookie would be sent alongside the jwt, which would require to handle authentication methods precedence on the backend (not really an issue) any thoughts ?

oauth2 seems overkill for this, identity metadata is an easy solution if it does not change very often on a per user basis