My company is looking for a centralized way to manage authentication.
We have various APIs hosted by my company and its subsidiaries. One of our architects suggested auth0 for that purpose so I am reading through your documentations and examples online. To me, machine-to-machine flow fits for your model because our API is connected to our customers’ APIs or applications.
The problem is I do not see how user credentials are authenticated in that flow. Our customers pass user credentials so our API can process a request for the specific user. It is also money related so without user authentication, we cannot do much. Also, there will be no UI involved between customer’s app and our API, so we cannot really have interaction with user for asking uesrname/password.
Do you have concept of also authenticating user credentials in client credentials flow? If so, can you share the info from your documentation if available? I hope I have clearly explained the situation. If you have any question, please let me know and will add more info.
M2M/Client Credentials is not what you want for this case.
You need an access token from your customer that you will pass to the third party application. You can get that access token by one of our user login flows.
I am not sure what you mean by “There will be no UI involved”. If you are using a user’s credentials, you must have gotten them somehow.
M2M is only for userless scenarios.
Thanks for your reply. We do not have control over how our customer (API user) collects user credentials from the end user (one consuming our customer’s application). In some cases, our customer might have one user with our system and use that user credentials for all of their customers. In such a case, it will be API to API call, which doesn’t involve UI. We must keep the user authentication because user has wallet (money balance).
I can’t be too helpful here without some architecture diagrams.
Using customer credentials in a M2M fashion is a red flag: I think there are security issues here. You probably shouldn’t be trying to do this, though I can’t say for certain without a deeper analysis.
You can make your API aware of two types of token: user tokens and M2M tokens, if that helps.
When things are this complex, I recommend Auth0 PS time (I’m one of the PS architects):https://auth0.com/docs/services
There are packages of varying sizes, and this problem sounds like it would benefit from a detailed analysis and solution.