这是OAUTH2和OpenID Connect的好用例吗

Question

I would like to see if Oauth2/OpenIdConnect will work with our scenario.

Normally, our clients log into our system, a session is created and client is redirect to our reports.aspx page.

Our clients are lazy and want a way to simply login once to our site through their vendor's site and our vendor does not want to keep a user management database when we already have a user management db.

Our clients are working with their vendor to have their client app authenticate with us and then they can get re-directed to our reports.aspx page. Kind of like single sign on.

In the Oauth2 specs, there's a lot of references made to RESTful API end points. What if you don't have RESTful api end points? Following the Authorization flow, after the client app exchanges the authorization code for an access token and ID token, we will return a query string to redirect to our reports.aspx (not the vendor's redirect URI).

We are not exposing endpoints where the vendor can retrieve the data on our client's behalf. We are simply redirecting the user to our pages, once the user is authenticated from the vendor's site.

is this a good use case for OAUTH2/OpenID Connect?

Answer 1

No oauth2 rely on an authorization server which expose both authorization code and access token endpoint to support all possible oauth flows (some simple flows do not require authorization code endpoint).

Authorization [code] flow, after the client app exchanges the authorization code for an access token and ID token

Where will the client obtain its code and exchange it against the access token if it have no authorization server to deal with ?

See http://www.bubblecode.net/en/2016/01/22/understanding-oauth2/