Hello everyone, I am new to this world of authentication with Oauth2.
I am working with Regular Web Applications connected to organizations, consequently it is possible to use as grant types only Authorization Code, Implicit and Refresh tokens, they are ok for a flow that includes a user passing on a browser, but they are not ok to get a JWT token to use directly to make authenticated requests to REST APIs.
I understand from the documentation that I need to connect a Machine to Machine application to the organization so that I have the ability to get a token with the grant type “client credentials,” however it is not tied to a user registered on Auth0.
How can I get around this problem? I need to get a token bound to one or more users from API to be passed to other calls to APIs.
I thought of passing a custom parameter (for example containing the username of the user I want to use) to the machine to machine token request and then using an actions to insert it inside the token as a claim. Unfortunately, however, I think this is an unsafe choice (anyone could act as a different user than their own).
Unfortunately I understand that if I use an organization, I cannot use the grant type “password” at all, so I cannot officially get a token from API by passing a user’s credentials.
What suggestions do you have?
Thanks in advance.
Hi @a.cap.cl,
You will need to use a M2M application to Call Your API Using the Client Credentials Flow. In this flow, you will not be permitted to use an organization with your audience.
An M2M application does not involve any user interaction. Instead, it involves an application exchanging its application credentials for an access token.
If you need to get an access token for your users, you will need to Call Your API Using the Authorization Code Flow. This will allow you to specify the user’s organization as well.
Let me know if you have any follow-up questions.
Thanks,
Rueben
1 Like
Hi @rueben.tiow and thank you very much for your reply!
I understand that anyway to use Authorzatjon Code Flow you need a user to interact with a browser to get the code.
I need a fully automatable authentication method via API and that has the possibility to have the user context, I guess the easiest way is to use Machine-to-machine by customizing a parameter that I pass to the token request and an action that handles it, right?
Are there any other solutions?
Thanks again
Hi @a.cap.cl,
Thanks for the update.
Yes, that’s correct. The best option for calling your APIs would be to use the client credentials flow.
However, if you must require the user in this context, then you could use the Resource Owner Password Grant flow to call your API. Be mindful that this flow must only be used with highly trusted clients.
Thanks,
Rueben
Thank you again for your response!
I understand though that if you have a regular web application attached to an organization, the Resource Owner Password Grant flow cannot be used, to use it I have to “detach” the regular web application from the organization. Is this correct or am I wrong? Is there a way to use ROPG flow despite the organization?
Hi @a.cap.cl,
Thanks for the reply.
Ah, yes. I missed that important point. I have to correct my previous reply.
Using the ROPG will not work with Organizations because it is designed for login flows that involve user interaction.
Let me add that you could use the client credentials grant flow with Organizations. For more details, refer to this documentation. However, you won’t have the user’s context since it is non-interactive.
Thanks,
Rueben
Thank you for the clarification!
I have another question: in case I decide to use Authorization Code Flow for API calls as well, I guess the user has to (necessarily) login from browser first and then I have to show him either the authorization code or the jwt token directly to use to make API calls.
How should this be done? User logs in from browser → I make authorization code appear on UI → he uses it to get a token to use for API. Or do I make the token obtained from browser appear on UI directly?
Thanks again