We would like to give our users the ability to create a token that does not expire, so they can give that credential to a third-party client (e.g. cli) and have it act as them (with their permissions) when calling our APIs.
I have created the following sequence flow diagram showing how this might work:
As you can see, this requires creating a single Application in Auth0, configuring it for refresh and password grants (ONLY, no client_credentials grant), and sharing that single application’s
client_secret with all users.
I have seen the previous discussion around API tokens/keys (e.g. How to implement API keys using Auth0?) but none of those seemed to do quite what we want or have other management drawbacks. However, I’m nervous that we need to give all users the credentials for a single application in Auth0 - i.e. both the
client_secret, despite the docs and my testing showing that you can’t get an
access_token without a valid
refresh_token or username and password.
Can anyone (especially Auth0) confirm whether this is a secure use of Auth0 or if not, what the issue(s) are and how we might best resolve them?
Thanks in advance.