I am looking for a best practice advice for a particular use case at hand :
We are small company which manages smart rooms, room bookings for our clients from a device installed in meeting rooms located in customer physical space. Until now, we have been using basic authentication toward EWS APIs but as the deadline for deprecating basic authentication is approaching soon we are working on migrating to using Microsoft Graph APIs.
Having said that, I have been looking into various Oauth 2.0 flows in connection to authenticating and authorizing. Here are the use cases:
- By default room device/Touch controllers should show room calendar at all times. No authentication should be required
In order to achieve this, I'm planning to add a confidential client flow where application has a client id and or certificate/secret used to poll room calendar in a
fixed interval. I believe that with this approach, I can have long a running session to avoid any authentication.
- When authenticated, Users should also be able to see their own calendar on the same device which required a short registration process, consent for using a service account as a delegate and a pin generation. So, next time user just needed a PIN to authenticate.
I'm wondering which OAuth2,0 flow can be used to address both scenarios listed above.
I'm wondering which OAuth2.0 flow fits in this scenario.