I have a back-end. A type of self-hosted CMS. This CMS maintains tokens; obtained upon initial login or user creation, maintained and refreshed, and encrypted at rest.
To perform its operations, this CMS uses a M2M “main” token.
I have a Jamstack-type front-end on a different server, different domain. That front-end commonly uses an API, registered with Auth0, and uses passwordless, with RS256. For management-type operations, that front-end uses its own “main” client id and client secret.
But there are times when that front-end needs to tap data stored in the CMS.
I am wondering what the best strategy is here. Should I register the FE client id and client secret as additional keys with the CMS, so the CMS can “impersonate” the front-end?
Should I treat the front-end and CMS as a single app with shared keys? But they live on different domains.
The CMS needs to be able to validate the signature of requesting tokens coming from the front-end basically. It might even need to retrieve “userinfo”, and use custom claims to perform some authorization.
Pointers welcome. Thanks.