We are developing an API platform, that has a separate NativeApp and SPA App.
In Auth0, what’s the best way to model the apps? Is it to one Application per-type (NativeApp, SPA and API) in Auth0 and give the clients access to the API application somehow, or create one app?
In IdentityServer4, we would define them as separate Clients with defined access to specific scopes.
I believe the best practice is to create one Auth0 Application each for your native app and SPA. This is the model we follow where I work. This has a number of advantages including per-app configuration and per-app logging.
Then for your API(s), you can define what scopes each Application is allowed, and you can extend that model (using the Authorization Extension) to control scopes at the user level.