Connect application to user (by Client ID)

Hey, I am working on a system that needs to support 3 types of users:

1) UI only users, they do not use the API and so username and password is enough for them.
2) API only users, developers which will use the api in their systems, which will use client id and client secret.
3) API and UI users, which in this case to login to the UI they will use the username and password but when using the API they should use client id and secret key only.

Because of type “3” I need to connect between users and applications in auth0, how should I do this?

Thanks for the help!

Hi @asset,

Welcome to the Auth0 Community Forum!

A few questions:

  • does the user interface with your custom API or with you auth0 APIs?
  • Are these third party developers registering their applications to use your API?
  • Can you provide an example of what user 3 would be doing?


Hey @dan.woda ,

  1. The user interface with custom api and not auth0 api.

  2. Yes. We provide them a client id and secret so that they can get a token from auth0 and then use it in the requests to perform actions in our custom api

  3. User of type 3 will log in to the UI and will be able to view a dashboard of actions he made (mostly graphs and tables that are associated to the actions he made in both api and ui ). he will also be able to perform actions manually (that are also provided in the api) for example he can update his profile data

I hope I managed to explain myself well, if there is any additional information needed please let me know.

Thanks for the help!

Hi @asset,

Okay I think I understand your case. You will want to utilize the management API to programmatically register the third party applications.

This endpoint:!/Clients/post_clients

This doc will tell you more about third party apps:

There is some setup you will have to do to get it all sorted out. Let me know how it goes.

Hope this helps!


Thanks for the help! I followed your guidelines and ended up with a solution.

For the API I am using API Gateway with lambda custom authorizer (provided in auth0 website).
Then either the UI can use the API or the Third-Party applications can use it.

The UI will use the token generated from the username-password (using SPA example for react) and the API can know which user called it by getting the “sub” property from the token.

If the Third-Party will use the API they will first get a token by using the “oauth/token” endpoint with “grant_type”:“client_credentials” and then sending the token to the API, the API can know which application is it by getting the “azp” property from the token.

Finally to connect users to applications for type “3” users, I used dynamoDB with a users collection that store “userId” which is equal to the “sub” property and “clientId” which is equal to the “azp” property. this way I can always get which user is it when they use the API from the UI or from the Third-Party application.

Please let me know if this flow is correct or should I used a different way. it would really help.

The sub claim is still valid here. I am not sure if azp is going to change, and it could possibly work too, but sub is typical.

Other than that this looks generally correct. Implementation decisions are ultimately up to you, but I would say this is the correct direction.

Feel free to open up more topics with questions if you run into anything else.

Hope this helps!


1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.