I’m currently looking into Non-Interactive Clients to create a client for each vendor that uses our service and then setting appropriate scopes for each-- my other alternative is creating a user and leveraging app_metadata
to set their scopes. I also created a simple Rule to ensure these users can’t log into any other client, strictly the API-specific Client.
There are obvious differences between the two, I’m just unsure which falls under a best practice. Also, we don’t anticipate these vendors accessing anything user-specific for now.
If you don’t want to distinguish between multiple users within the same vendor which seems to be the case as you mention that if opting for the user-based option you would create a (assuming single) user and that vendor will not access services that are user-specific.
In this situation I would recommend going with the creation of a non-interactive client application for each vendor. You can make use of client_metadata
to maintain the association between vendor and respective client application.
Additionally, for client credentials grants there’s a built-in authorization grant management interface that would let you easily configure/view the allowed scopes through the Auth0 Dashboard itself. Alternatively, you could also automate this process through the Management API.
Suppose we need to identify these vendors in our API, how can we do that?
Is it a valid approach to have a local database of client_id → vendor. So in our API we would read the client_id from te JWT and map the request to a given Vendor. is that the best way to do it?
Yes, that seems fine; it would be the same as maintaining a user database at the API level where you would identify the user by user identifier. Instead you’re dealing with clients/vendors and client identifiers.