Deciding which flow to use

thomascooper · May 10, 2021, 4:40pm

Hey all,

We are new to Auth0 and looking for the correct authentication flow to use. Our primary use case is an Angular SPA → Django Rest Framework API, which is fully implemented and working using auth0-angular.

Now we want to extend functionality to Machine-to-Machine clients, we would expect the following steps:
1.) We provide credentials (either username and password, or API key/Secret) to the client
2.) The client visits our api endpoint “/generate_token” with provided credentials and they are issued an access or bearer token
3.) They then use that token to access other endpoints in our system

Step 3 is already complete as the DRF API is secured and bearer tokens from a Test M2M application work with no issues, but outside of that we are struggling to find the correct path to choose. Currently we are leaning towards Resource Owner Password Flow as detailed here. Is this the best flow to use or is there another that fits our use case better.

Thanks in advance

john.gateley · May 11, 2021, 2:48pm

Hi @thomascooper

For M2M, use client credentials:

John

thomascooper · May 12, 2021, 7:29pm

John,

If we use the Client Credentials Flow, it would seem the expectations are that we could create a new M2M Application for each customer we onboard, then provide them their specific client_id and client_secret. While I am not “opposed” to this, is that really the best business practice? I would assume creating a manual user would be a better approach, something like the Resource Owner Password Flow

john.gateley · May 13, 2021, 2:05pm

Hi @thomascooper

Whether you provide the client with a username and password (and client ID and secret) or just a client ID and secret, you still must communicate unique credentials to them.

The client credentials grant is definitely the best practice in this scenario.

John