I am trying to implement the authorization code flow for my Java application deployed on SCP Neo environment. This application uses FORM (for web clients deployed on SCP) and OAUTH (for mobile clients) authentication methods. This Java application exposes some REST services which are protected using role-based authorization. For authentication I am using container provided security - SAP ID service. Roles are maintained in SCP cockpit.
On client side I have,
If I just use the UI5 application to connect to Java server using SAML, authentication and authorization works as expected.
When I introduce oAuth in the mix for any endpoint which does not require any authorization (role-based) it works fine from the mobile client. I am able to fetch the auth code, token and hit the REST endpoint. But it fails (giving 401 - Unauthorized error) if I try to hit an endpoint which requires authorization even though I can verify that the user principal is assigned with correct roles.
I want to use the same endpoints for SAML as well as oAuth flow. From my understanding of authentication methods I know that SAML authenticates the user while oAuth authenticates the client app.
May be my understanding is wrong and I may require different endpoints catering to SAML and oAuth flows.
Please let me know if this scenario can be achieved using same endpoints or should I differentiate between SAML and oAuth endpoints to make this work.