Hi, I would like to use strategy authorization for editor web ui, so I can use my OpenID Connect provider to define users and permissions, but at the same time, I need to be able to use the admin api, which only seems to support credentials type of authentication (or none). In particular, since I would use the admin api from a script with no user interaction, I would need to support the Client Credentials Flow.
I'm willing to contribute with the necessary code changes, but first I would like to discuss what would be the best way to support this kind of escenario.
There is some work happening at the moment to address this.
The current proposal is to all adminAuth to provide a custom tokens function that can be used to validate any Auth token that isn't recognised as one NR generated itself.
That would then allow you to create an admin-only Auth token that can be used independently of the main oauth login scheme.
I hope there will be a design note or PR that I can link in the near future.