Is it possible to authenticate using OAuth without prompting the user when we have the user credentials?

Question

Case:
A desktop client interacts with Server A.
Server A, as a result, needs to connect to server B.
The client is passed the oauth request.
Now, in the client, we have the user credentials for server B already. Is there some way to authenticate against server B without prompting the user or showing any UI? We need to do this in a generic way, since we don't know what server B is.

My current understanding is that it's not. Even if we somehow processed the login form ourselves, there would still be the OAuth confirmation that the user would have to click on.

I just want to confirm that my current understanding is accurate. Let me know if you have any insights.

Answer 1

The client has been sent to an authorization page on server B via a HTTP redirect. Since you don't know anything about server B, you don't know what that authorization (and/or authentication) involves; it's out of scope for OAuth. You don't know that you have the user's credentials for sever B, since you don't know what they are.

Normally, the client is the user's browser of choice, and server B may choose to accept authentication and/or authorization credentials which it has stored on the client (usually with a cookie), without user interaction. However, this is also out of your control; you can't stop server B from requiring user interaction. If you only need authentication, OpenID is more likely to allow this, since there ususally aren't any ID choices, but it still is not certain.

You may be able to store an access token for later renewal and use without re-authorizing at all. This is also up to server B, and you can't rely on this for a generic server.