We have a MachineToMachine controlled server environment. With our own UI, people can logon, get a token and access this environment as normal.
We now have a requirement for partners to be able to access that environment on behalf of their users. While they are auth0 users also, it’s a different organization/tenant. We don’t want their users to have to logon again to our environment so what is the best way to enable their users to access resources in our environment ?
I’m having some trouble visualizing this use case; would you be able to provide some additional information, or maybe an example of the desired outcome?
Here’s a few questions:
M2M environments are usually user-less. How are users access it? Through a web app?
“access on behalf of their users” Do you mean impersonate the user? Is a partner an “admin” of some kind?
Are you issuing user tokens, or is this more like a developer dashboard where you are issuing M2M tokens?
many thanks for the response. Essentially we have a partner company who also have an Auth0 tenant. Their users logon to their tenant and our partner may want to create resources in our environment which is running against a different Auth0 tenant. We’re looking for the best way to do this…
Ideally we’d like the user in our partners environment were able to create and use the resources in our environment from the partner environment without the partner’s user necessarily being registered in our environment.
Or would it make sense to ensure the user is also registered in our environment and to get them a token to be used on our environment in some way ?
If I understand correctly, you have your tenant (tenant A) and your partner has a tenant (tenant B). You want to allow the users of tenant B to log on to an application in tenant A, and request access tokens to access resources in an API registered in tenant A.
For this type of setup, you can have one tenant federate login to another tenant. For example, tenant A can act as the service provider and tenant B can act as the identity provider. You can do this with an enterprise connection. Does that make sense?