OAuth alternative for two-party scenario?
I'm trying to come up with an authentication/authorization system for what seems like a really simple scenario, but as far as I can tell it's virtually unsupported.
There are two parties, total; myself and someone else ("other"). I'm running a bunch of services with HTTP APIs that are reachable over the public Internet, and "other" wants to use them from their own systems. There are no browsers, no interactive sessions, no people at screens and keyboards to interact with anything, just two computers talking to each other. These are requirements and cannot be changed. Here's an illustration:
I don't want each of my services to have to implement whatever mechanism is used to establish and validate "other"s identity; I want each service to use a standard mechanism (like a short-lived bearer JWT) and have something else (an authentication service? I hope that name is accurate) do the work of validating "other"s identity and translating it to that standard. This seems like widespread standard practice and I assume is not controversial or a problem.
Ideally, I would like to use an off-the-shelf hosted product for the authentication service, so I don't need to build it myself or worry about how to administer accounts, but as far as I can tell this is literally unsupported by the providers I've looked at (Okta, AWS Cognito, and Auth0) and may be entirely incompatible with OAuth 2.0 itself. There are no browsers and no interactive users, so grant types based on redirecting back and forth and user approval are right out, so I think that leaves password and client_credentials as the options. client_credentials can't actually authenticate other parties in any of these services; you have to add a trusted application that is treated as internal, which is not acceptable. password allows you to supply a user name and password, but in all of these services you still have to include the client credentials. Since these providers all work the same way, and it sounds like that is consistent with the OAuth 2.0 spec, I'm not sure if there's a solution for this that doesn't involve building my own authentication.
Is there a proper name for what I'm trying to do that would help me find solutions? Has anyone heard of any hosted products that solve this problem? As a fallback, is there some tricky way of using OAuth2 to do this?
