Am I doing Machine to Machine right?

My company has a SPA backed by an API.

I have figured out how to use Auth0 using the Implicit Grant, and I can see how to manage users etc.

We also want to offer our customers direct system integration to our API - in other words our customers have their own ordering systems that would call our APIs directly.

It seems that the Client Credentials flow is the right one to use in this case, as the customer application is authenticating, and not a person.

It seems that for each customer, we will need to create a new Machine to Machine Application, and authorize it to our back end API. I’d expect several hundred customers to want to do this sort of thing.

Does this sound like the ‘right’ approach?

To automate this, we would plan to build a registration form on our site, and use the Auth0 management API for actually creating the M2M App for each customer.

I want to find out the ‘Auth0 way’ of doing this sort of thing - certainly don’t want to get told to stop doing this after we have built it!

I guess an alternative would be to implement an API gateway that supports oAuth?

Any feedback and suggestions welcomed - I’d rather use Auth0 than roll-my-own…

That is indeed the right approach. Make sure to grant the appropriate scopes to those applications when creating them (if you have multiple scopes).
If your customers required actual user login instead, you could let them create “third-party apps” instead (either regular web apps or native/spa apps), even offering federated authentication by creating enterprise connections (e.g. I let Acme use my API, and Acme wants their users to log in using their identity provider).

The only problem, as of now, is that the Dashboard is not really ideal for handling a huge number of clients. That won’t be an issue if you’ll build your own UI to provision clients, though.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.