Allow Handler to read OAuth2 access token instead of browser cookie
I have a lot of questions on how protect REST API (or any machine to machine requests) with LemonLDAP::NG.
Now we have implemented OpenIDConnect, we have an OAuth2 access token database (OIDC sessions) that we could use. The Handler could try to read access token (sent in Authorization header) instead the cookie to get the access token session and find the corresponding SSO session.
The question is: do we allow Handler to test access token and cookie or should we have separate Handlers for that? The difficulty of mixing both it to know how to answer to a request without access token and cookie: HTTP unauthorized or redirection on portal? It would require to know if the request comes from a browser of from an application.
Any though about this?