Here is the scenario:
I have a web application with some RESTful APIs, users use IdP to do single sign-on. I registered my web application (as well as many other third-party web applications) in IdP, and when users want to use my web application, I redirect users to the IdP login page and do the usual SAML 2 material for user authentication. This part has already been completed. Now, after logging in, users can freely use any web application registered in IdP. The next task is to allow some of these web applications (not all) to be able to use my RESTful APIs.
Unlike the normal OAuth 2 provisioning flow, users do not allow their third-party web applications to use my APIs; instead, I want to control which third-party web applications can use my APIs. Something like what the user will ask me to provide a specific web application for its use, which of my APIs. Or any other good suggestions, I'm all ears.
source share