Hi @baynezy,
Thanks for the reply.
Unfortunately, it’s not possible to configure multiple audiences in your login request.
(Reference: How to Specify Multiple Audiences)
However, if you call each audience individually, you can get access tokens for those APIs independently.
Not necessarily, this depends on whether that M2M app needs access to the Management API and the API itself.
If so, you can configure the M2M app to have authorized access to those APIs with its permissions.
Let me expand on your example:
SPA
You could use your SPA to authenticate users using the authorization code flow with PKCE and specifying access to API 1. If the user needs access to API 2 or API 3, one way is to silently authenticate them against those APIs.
API 1
This is fine because there are no external dependencies on any other APIs.
API 2
For API 2 to call API 1, it could initiate a client credentials flow. There would be an M2M app registered that API 2 can use to call API 1.
API 3
It’s the same situation here. To call API 1, API 3 would initiate a client credentials flow. This can be the same M2M app registered earlier that API 3 can use to call API 1.
Yes, this is correct. If your M2M app has authorized access to an API with its permissions (scopes), you can request an access token via the Client Credentials flow, specifying the audience of the API you want to call.
Kind regards,
Rueben