Auth0 Home Blog Docs

How do you use Auth0 to authenticate & authorize 3rd party vendors?

clients

#1

I’m currently looking into Non-Interactive Clients to create a client for each vendor that uses our service and then setting appropriate scopes for each-- my other alternative is creating a user and leveraging app_metadata to set their scopes. I also created a simple Rule to ensure these users can’t log into any other client, strictly the API-specific Client.

There are obvious differences between the two, I’m just unsure which falls under a best practice. Also, we don’t anticipate these vendors accessing anything user-specific for now.


#2

If you don’t want to distinguish between multiple users within the same vendor which seems to be the case as you mention that if opting for the user-based option you would create a (assuming single) user and that vendor will not access services that are user-specific.

In this situation I would recommend going with the creation of a non-interactive client application for each vendor. You can make use of client_metadata to maintain the association between vendor and respective client application.

Additionally, for client credentials grants there’s a built-in authorization grant management interface that would let you easily configure/view the allowed scopes through the Auth0 Dashboard itself. Alternatively, you could also automate this process through the Management API.


#3

Suppose we need to identify these vendors in our API, how can we do that?
Is it a valid approach to have a local database of client_id -> vendor. So in our API we would read the client_id from te JWT and map the request to a given Vendor. is that the best way to do it?


#4

Yes, that seems fine; it would be the same as maintaining a user database at the API level where you would identify the user by user identifier. Instead you’re dealing with clients/vendors and client identifiers.


#5