Hello everyone, I am new to this world of authentication with Oauth2.
I am working with Regular Web Applications connected to organizations, consequently it is possible to use as grant types only Authorization Code, Implicit and Refresh tokens, they are ok for a flow that includes a user passing on a browser, but they are not ok to get a JWT token to use directly to make authenticated requests to REST APIs.
I understand from the documentation that I need to connect a Machine to Machine application to the organization so that I have the ability to get a token with the grant type “client credentials,” however it is not tied to a user registered on Auth0.
How can I get around this problem? I need to get a token bound to one or more users from API to be passed to other calls to APIs.
I thought of passing a custom parameter (for example containing the username of the user I want to use) to the machine to machine token request and then using an actions to insert it inside the token as a claim. Unfortunately, however, I think this is an unsafe choice (anyone could act as a different user than their own).
Unfortunately I understand that if I use an organization, I cannot use the grant type “password” at all, so I cannot officially get a token from API by passing a user’s credentials.
An M2M application does not involve any user interaction. Instead, it involves an application exchanging its application credentials for an access token.
Hi @rueben.tiow and thank you very much for your reply!
I understand that anyway to use Authorzatjon Code Flow you need a user to interact with a browser to get the code.
I need a fully automatable authentication method via API and that has the possibility to have the user context, I guess the easiest way is to use Machine-to-machine by customizing a parameter that I pass to the token request and an action that handles it, right?
Yes, that’s correct. The best option for calling your APIs would be to use the client credentials flow.
However, if you must require the user in this context, then you could use the Resource Owner Password Grant flow to call your API. Be mindful that this flow must only be used with highly trusted clients.
Thank you again for your response!
I understand though that if you have a regular web application attached to an organization, the Resource Owner Password Grant flow cannot be used, to use it I have to “detach” the regular web application from the organization. Is this correct or am I wrong? Is there a way to use ROPG flow despite the organization?
Ah, yes. I missed that important point. I have to correct my previous reply.
Using the ROPG will not work with Organizations because it is designed for login flows that involve user interaction.
Let me add that you could use the client credentials grant flow with Organizations. For more details, refer to this documentation. However, you won’t have the user’s context since it is non-interactive.
Thank you for the clarification!
I have another question: in case I decide to use Authorization Code Flow for API calls as well, I guess the user has to (necessarily) login from browser first and then I have to show him either the authorization code or the jwt token directly to use to make API calls.
How should this be done? User logs in from browser → I make authorization code appear on UI → he uses it to get a token to use for API. Or do I make the token obtained from browser appear on UI directly?
Thanks again
The user should never need to see the authorization code or access token directly. Instead, once the user has logged in, the backend should handle the token exchange securely. The frontend can then provide the user with an interface to make these API requests, while the backend embeds the access token in the request headers automatically.
This way, it prevents exposing the token and ensures secure communication between your API and the client.
Thanks again, this is clear.
My question refers to the use case where I need to provide my “clients” to make direct calls to my API (in addition to the ability to use a front end). In this case, besides the machine-to-machine solution, how would I handle obtaining the token?
In the documentation I found a page that explains how to use Authorization Code for direct calls to APIs, I wanted to understand how to handle the code.
I’m referring to this page: https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/call-your-api-using-the-authorization-code-flow
How does the user get the token by making the call with the authorization code? it occurs to me that after he logs in on the front end (from the browser), then I show him the authorization code, or have I misunderstood?