We have started on some integration with Auth0 that allows a user to login to our single-page web application, and the web application to receive a token which it uses to communicate with our API. We have multiple tenants in our system and have created a client for each tenant in our account.
The challenge we are facing now is introducing the possibility of some of our tenants to call our API from their systems to create new users associated with them. More generally we are considering how to do the authentication in our APIs; so it can handle being called from our web application, from our tenants back-end systems or a third party in the future. Below are a few more details on the scenarios.
From reading similar posts on the forums it seems there are a few different approaches and that Auth0 may not offer any specific support for API keys. But I’m still a bit in doubt about what to choose. It would be really great if we can get different approaches described and some official recommendations on which approach to choose in different scenarios. I’ll be happy to offer more details for our specific scenario if needed.
Our own single-page web application
- In our own web application we have the user log in on a specific version of the web application that determines the client being used (the client ID send to Auth0).
- The login will generate a token (JWT) for the user, with some custom data from the app_metadata; our own ID of the tenant and the user along with some roles.
- When the web application sends requests to the API, we will validate the token (JWT) and extract the information about the user, tenant and roles.
- The API performs some authorization based on the roles as well as the user and tenant.
- We are thinking to givem them an API key that they can use to call most parts of our API.
- There are some parts of the API that is not for a specific user and not used by the web application.
- Some of this is an API that relays request on to Auth0’s user management API to lookup and perform operations on users belonging to the tenant.
- There will also be some APIs that do not relay on to Auth0, but still offers operations regardless of any users or across all users.
- We are not really considering these yet
- However, we think these will work on behalf of a specific user (and like the social identity providers require some consent first).