How to select the correct authentication flow?

Testing Auth0 as a possible solution for us, but I am struggling to make heads or tails out of all the documents and videos.

  • We have a non-interactive REST API running on an ASP.NET server.
  • The REST server will be accessed from various native apps and possible web services from other businesses.
  • Any number of businesses can access the REST server. We need to be able to revoke permissions for an entire business easily.
  • Each business can have a list of users that can access the REST server so we need to know which user belongs to which business, and what roles/permissions each user has. If the business access is revoked then the user access should fail as well.
  • The REST API server access a centralized database so it is crucial that each business can only access data they own, and for this each business has a unique account ID. We need to be able to read this account ID from the authentication token.

How do I set up and use Auth0 to enable this scenario?

I have been trying for days playing with different options and seem to be going around in circles at the moment. I tried the authorization extension but it does not allow roles or permissions for a non-interactive API flow. Also, there seems to be no way to associate a user with a business.

From what you describe you have a multi-tenancy scenario so if you haven’t done so already you should take a loot at: Multi-Tenant Applications Best Practices

That documentation describes a possible way to achieve this by segregating each business into separate connections. This segregation could then allow you to shutdown access at the business level while at the same time know to which business an end-user is associated with.

The way that information could be surfaced to the API could be through custom claims added to the access tokens issued to the API.