I would like to make the API of a service I am building available to external users.
External users can call the API of my service from a CLI tool, or from an ETL tool that supports OAuth 2.0 connections, etc.
To achieve this, I am thinking of doing the following
- issue a client id and client secret to the user on the service’s administration screen (behind the scenes, call Auth0’s Management API v2, issue the application, and display the client id and client secret on my service side)
- The user uses the client id and client secret to obtain an access token (specifically, https://auth0.com/docs/get-started/authentication-and-authorization-flow/call- I am thinking of using your-api-using-the-client-credentials-flow )
- hit my API service with the access token
Is there a problem with this approach?
We could go the general way of issuing our own API tokens, but we don’t want to manage that ourselves, so we want to ride on top of the Auth0 mechanism as much as possible.