Hi 
I'm building a mobile application (frontend + backend) with a management system (frontend + backend) in the background. Mobile App and management system have different login requirements but they share the same user base (tenant). Users are required to complete a MFA challenge when logging in to the management system.
The management system has to talk to the mobile app backend. For example when a support worker edits user information through the management system ui.
Everything has to be secured of course.
The support worker has a registration on both FusionAuth applications obviously.
-
I could implement a machine-to-machine security protocol. Management system has a technical client id and secret in the mobile app which it can use to authenticate. I'm not a big fan of this since I loose the actual roles of the original user when talking to the mobile app system.
-
Secure the communication between my backends with tokens on behalf.
I'd prefer to just send the users token from the management system to the mobile app backend but this won't work because they don't share the same FusionAuth application id.
How can I implement 2) ? Can I somehow configure my mobile application backend to accept tokens with a different application id? Similar to how SSO works.
Other idea: Call a FusionAuth endpoint to exchange token from FusionAuth application A with token from FusionAuth application B. This should only work if the user behind the token is registered on both applications.
Does something like this exist?
Best regards