29Tem
End user authN / authZ in a B2B2C setup
I am hosting a SaaS application that exposes an API and does authN using an API Key (M2M).
An organization can subscribe to this SaaS and consume the API. The end user (customer) of the organization will then use this api when performing a chat on the organizations website (only once logged in).
The SaaS API can also be configured to invoke some API of the organization to get customer info etc. Today, we have an option of using Client Credentials flow (by configuring an app in the orgs IdP) and passing the token. However, there is a need to also identify the "End user" when doing so.
What would be the best way to solve this? Is this a feasible thing or is something fundamental missing here?
