I’m trying to figure out best practices for authenticating API requests from domains that I don’t control, and I’d appreciate some guidance.
My setup: We have a web app that uses Auth0 for IAM. The web app exposes an API (
app.foo.com/api) that authenticates requests using a JSON Web Token, and we allow users to generate tokens for their account through the authorization code flow provided by Auth0. This workflow is configured as an Application in Auth0, although it corresponds to an API.
On top of this, there exists a skinned frontend for the web app that a client of ours maintains separate from us. The skinned frontend interacts with our API with requests originating from a separate domain (
app.bar.com), and it has its own Auth0 tenant so that users of the skinned site can authenticate to it while the skinned frontend accesses our API via a custom social connection (set up via an Auth0 extension).
The current situation: Our client is now developing a third site (
ann.bar.com) that they want to use to consume our API. We don’t necessarily want to replicate our current approach with this new site because it doesn’t seem ideal. For one, we are continually appending Allowed Callback URLs for domains that we have no control over. I’m wondering what the best practice is for administering API tokens to users of this third site via the identity that they have established in the Auth0 tenant for the skinned frontend?
Based on the Auth0 docs for multi-party authentication, it seems like the recommended workflow is to instruct our client to set up a redirect rule during their authentication that would ask our API for a token. On our side, we would need to configure the Allowed Callback URLs for our API Application to whitelist their domain, and potentially make other changes to permit our Auth0 tenant to provision tokens to their app.
Another possible workflow seems to be to authenticate using OpenIDConnect to another Auth0 tenant. I believe we tried and failed to implement this solution about a year ago, when there was a known bug preventing OIDC connections between Auth0 tenants.
Which of these workflows is the right fit for our situation? If one workflow stands out as the right one to pursue, are there any additional docs or tutorials that might help us understand how to implement it?