We have the opportunity to “upgrade” our authentication and authorization workflow. Our product is based on a public API where customers can submit requests against say an IP address. Clients interact with REST endpoints on our API. Currently, we provide a static string as an API key. We have been doing research and it seems (please correct me if I am wrong here) to be M2M. Where we provide each of our clients (can be thousands) a client_id and a client_secret and have them validate their identity with Auth0 and return to our API with a Auth0 generate token (JWT). We want to start leveraging the scope constructs that Auth0 makes available in the JWT token but wanted to make sure if this is the correct workflow, or if there is better one.
Who are you authenticating? A person or an application?
If you are authenticating a person, then using Auth Code + PKCE and treating your setup like a SPA is appropriate.
If you are authenticating an application (specifically, an application that doesn’t have a person sitting at a keyboard to enter credentials) then M2M is the way to go.
Thanks for your help! Yes, I am authenticating applications
Hi @john.gateley, thanks again for your help. I am still struggling to understand the M2M - API key model. So lets say that currently I provide my 100 users access to my API via a static randomly generated API key. This is used as a access token to my API. If I am to migrate to M2M does that mean that each of those 100 users will have an Application registered in Auth0 in order for them to receive a client_id,secret_id ? Or is there a different flow for me to emulate the static API key model?
If I understand everything, then you are correct: each user will have an M2M application for accessing your API. That application has the client ID and secret. In your user registration process, you will create that application (using the management API).