Hi, i followed this documentation Auth0 Django API SDK Quickstarts: Add Authorization to a Django API Application everything’s working fine so far. The thing is, that i need to give access to new users to this API, and i think is not viable to create a new tenant since they will share the same client ID and client secret.
I need to give a new user his own client id and client secret to interact with my app-api
What’s the approach that i need to take? as i said, API is already working since it will block access if user doesn’t have the read:permission. But i need new users
Thank you for posting your question, can you share more details, regarding your issue, what’s your current implementation and what’s the expected outcome?
Hi Dawid, my current implementation is the same as the Documentation that i’ve linked. So far i got an API and my client needs to start “selling” access to that database. I already managed to put my method under the “private” scope, and i already managed to make calls using the bearer token via client id/secret. The thing is, documentation does not state how can i give access to new people, since i will not give the same client id/secret from my application to everyone.
As i stated, API and Auth0 code/dashboard is working nicely, but i cannot find how can i give access to new people from my dashboard. I need to manage different users which they will have their own client id/secret
I didn’t understand your question fully, but from what i have gathered you could try one of these two solutions:
a. If the users you are referring to are fellow developers/ third party applications calling your api: Create a new application, add this new application as an authorized application to your api, and add the required scope for this api. Now you could share your fellow developers this client id and secret and you can tune the scope however you like it.
b. If your users are customers using your application: If you want certain users of your application have special permissions, you can add the scope from actions during login to the access token, that access token can be used to call the api.
I hope this leads you to the right direction.
Thank you for the profound explanation. I think that I understand the issue. If you don’t want to build a layer between your clients and API, the only option is to create a separate application for each client, share it with them, and let them create an access token to your API. But this solution won’t scale perfectly and is hard to maintain.
I would encourage you to check the few links below to give you more options, but they will most likely need to build a middle layer to let your clients login and provide them with access tokens to your API.