OAuth is all about delegation. It allows a client application to ask the resource owner (a user) for permission to access a protected resource (an HTTP API) on their behalf. It is a delegation protocol.

So, what happens when a client application communicates with a protected resource that needs to interact with other protected resources? How do you keep this request acting on the user’s behalf? How do you handle this API-to-API communication securely without getting the user involved again?

The OAuth working group has solved this with OAuth token exchange (spoilers), but let’s look at some API-to-API scenarios where I’ve seen this issue in production and then look at some possible solutions before looking at token exchange.

https://developer.okta.com/blog/2020/08/07/spring-boot-remote-vs-local-tokens