Hi,
I’m building a Data-as-a-service platform using Auth0 as an OIDC compliant OAuth2 provider.
As of now I’m creating 3rd party clients for each client application using the management API with an API token, but i’d like to allow the developers for whom i’m creating these 3rd party clients to perform certain management actions on their clients.
According to this post, i’d rather think that such delegation should be handled in my application code, but i prefer to confirm first:
Is there a way to generate token and control the access right into Auth0 to make sure that a certain developer can only manage the configuration of its 3rd party client?
The scopes that can be granted to an access token for the Management API refer to general actions like read:clients
or update:clients
so within an action type like updating clients there is no way, at the token level, to further restrict the action to individual records of that type.
In addition, Management API access tokens are bearer tokens associated to a client application (issued through client credentials) instead of directly associated with an end-user grant. Like you mentioned and suggested in the linked post you can broker this process either in your own client application or even through just another API where fine-grained authorization checks could be applied to ensure a given developer would only be able to manage their associated client application. Have in mind that you should even further restrict not just to an individual client application, but to only certain settings of that client.
thank you @jmangelo for clarifying,
Yes of course, my application/API would require further filtering of what param the 3rd party developer can actually alter.
thank you @jmangelo for clarifying,
Yes of course, my application/API would require further filtering of what param the 3rd party developer can actually alter.