Hello Auth0 community,
first of all let me describe the situation:
We are providers and owners of cloud service (Service) and we are using Auth0.
Our Service is multi tenant, one user (authenticated via Auth0) may have access to multiple accounts (called Organizations) and multiple users may have an access to the same account (Organization).
We are B2B so our customer is actually the Organization.
For user authentication, we rely exclusively on Auth0, for “User-to-Organization” authorization we have own solution.
Now, we are planning to build & release an app to Stripe marketplace, which is supposed to continuously push data from Stripe account to Organization in our Service.
Stripe app will have small front-end in React and some backend that will receive webhooks. Backend will be exclusively under our control (code, deployment). I see two options:
1/ our Stripe app aks Auth0 for user’s token via Authorization Code Flow and that token will be user for further communication between our Stripe app backend => Service
2/ our Stripe app backend asks Auth0 for machine-to-machine token via Client Credentials Flow and that token will be used in backend exchange same way as in first point
Using Authorization Code Flow has benefit of utilizing “User-to-Organization” authorization so no extra development is needed. On the other hand, in case User leaves the Organization, then, authorization fails.
Using Client Credentials Flow requires to add extra authorization “Client-to-Organization”
Do I violate some best practise or is it an anti pattern? What are your thoughts?
Thank you