I am building an application that interfaces with many standard CI/CD SaaS offerings (Travis, Jenkins, etc.). Users interact with it as follows:
- During a CI build, a script sends a POST to one of my API endpoints, telling it to run some tests
- My API returns a URL that the script polls to receive the results of the test, once it is completed.
- If the test fails, the parent CI build fails.
The API access in steps (1) and (2) need to be protected by authentication. Ideally, users would store a long-lived API key as a secure environment variable in their CI system, and access this environment variable in their script before calling our API during the CI build. We would then send this key to Auth0, get a token back, and send the token back to the end user. They would then use this token for all subsequent API calls during that session.
This seems like it is almost like the Client Credentials Grant, but that method does not seem intended to have 100,000 different client credentials (one per user of my Saas). Please advise if
my perception here is correct.
Is there any way to generate multiple user-scoped API keys, the way that github allows?
I saw this thread from 7 months ago on this topic, has anything improved since then?
TL;DR two questions:
- Should I use client credentials grant for this, and generate one client credential per user of my application (potentially thousands)?
- If not, is there another way to do this?