I have an Auth0 tenant which has a Single Page App Application defined. I also have the Auth0 Management API defined.
Currently, I have a single SPA deployed that has the following properties defined:
Authority: The value of the Domain setting on the SPA Application
Audience: The value of the Identifier on the Auth0 Managment API
ClientId: The value of the Client ID on the SPA Application
I have several APIs that are all configured with the same properties as above.
This all works as expected. The SPA handles the handshake with Auth0. Passing the Auth token received from Auth0 as a Bearer token to the APIs is making sure that the tokens are valid by getting the relevant keys from Auth0.
Now what I want to do is allow APIs to call each other in a Maching-to-Machine scenario. As this is not going to be on behalf of the user. I don’t want to allow any endpoint to be called so I wanted to use scopes.
I am really unclear on how best to approach this. My instinct is that each API should be created as an API in Auth0 with the relevant permissions defined, and then each API that needs to call another API should also be created as an Application in Auth0 with the correct permission mapping. However, they all end up with different Identifiers and thus Audiences. So this all seems to fall apart.
The best way to model this is to create each API in Auth0 with its own permissions and create a separate M2M app per API that needs to call another API. Then grant each M2M app the permissions to different APIs that it needs to access.
In this approach, it’s true that they all end up with different identifiers AKA audiences. And that’s okay because each API can call another API through the client credentials flow.
If I do this then the issue I have is that my SPA needs to call all the APIs with the Auth token of the user. With my current set up that means that the audience in the token will be the Identifier of the Auth0 Management API and so it won’t be authorised to call any of the APIs as the audience will not match.
How can I support both M2M from API to API, and Authorisation Code Flow with PKCE for end users via the SPA?
In this scenario, you would continue to use your SPA to allow your users to log in with the authorization code flowing with PKCE. During login, it’s okay passing in the Management API as the audience. Once the user logs in, they will be issued an access token that has access to the Management API.
Then, within your SPA, when your APIs need to call other APIs, you can use the client credentials flow for those requests.
Ultimately, you will have to use both flows for this to work.
