Hey, I am working on a system that needs to support 3 types of users:
1) UI only users, they do not use the API and so username and password is enough for them. 2) API only users, developers which will use the api in their systems, which will use client id and client secret. 3) API and UI users, which in this case to login to the UI they will use the username and password but when using the API they should use client id and secret key only.
Because of type “3” I need to connect between users and applications in auth0, how should I do this?
The user interface with custom api and not auth0 api.
Yes. We provide them a client id and secret so that they can get a token from auth0 and then use it in the requests to perform actions in our custom api
User of type 3 will log in to the UI and will be able to view a dashboard of actions he made (mostly graphs and tables that are associated to the actions he made in both api and ui ). he will also be able to perform actions manually (that are also provided in the api) for example he can update his profile data
I hope I managed to explain myself well, if there is any additional information needed please let me know.
Thanks for the help! I followed your guidelines and ended up with a solution.
For the API I am using API Gateway with lambda custom authorizer (provided in auth0 website).
Then either the UI can use the API or the Third-Party applications can use it.
The UI will use the token generated from the username-password (using SPA example for react) and the API can know which user called it by getting the “sub” property from the token.
If the Third-Party will use the API they will first get a token by using the “oauth/token” endpoint with “grant_type”:“client_credentials” and then sending the token to the API, the API can know which application is it by getting the “azp” property from the token.
Finally to connect users to applications for type “3” users, I used dynamoDB with a users collection that store “userId” which is equal to the “sub” property and “clientId” which is equal to the “azp” property. this way I can always get which user is it when they use the API from the UI or from the Third-Party application.
Please let me know if this flow is correct or should I used a different way. it would really help.
Thanks!