We have set up an API, which we can access using a first-party application using Client Credentials flow i.e. M2M. This all works, very good.
Now we’re looking to allow our customers to access the API using M2M. At no point do we (need to) know who the actual end user is, they will log in to our customers’ application. This application will then to the API calls to us.
In any case the documentation is a bit daunting, and I don’t completely understand what needs to be done. I’m hoping someone can confirm my assertions or point me in the right direction.
If I understand correctly:
- Our customers will need a client ID and client secret to request access tokens from Auth0, which they can then use to call our API.
- To give our customers this client data, we will need to create a third-party application. (here’s where the docs get a bit confusing, as this page also talks about user consent, which I think is irrelevant in this case?)
- We create this third-party application by creating a client using the management API.
- Third-party clients cannot be created through the Auth0 dashboard. Except if we hate ourselves and do everything with CLI, we will need to create our own management-application to manage third-party applications.
- Ideally our customers need to be able to log in to this management-application to access their credentials themselves. (otherwise we’d need to send them their credentials for example by e-mail, which is less safe)
- Created third-party applications do not have access to anything by default. Access to the API needs to be granted through a “client grant”
- If we ever want to grant customers access to some of our other API’s, they should get a new set of client id / client secret for each API. This means for a single customer we should be able to have multiple third-party applications.
- We can “connect” multiple third-party applications together using an organization. We create these also with the management API. Here I do not see a way to actually connect applications to an organization, is this done with an intermediate step, or some other way?
Is there any sort of documented step-by-step documentation or workflow for this? I can find such steps for creating an application or API, but they all end before the whole third-party access thing.
Thanks for any help.