I am trying to implement a developer portal flow but have trouble mapping the idea in my head to the auth0 api. Here is what I am trying to do:
- I have a Developer Portal application that users can log into (easy to implement with auth0)
- I have an api that I want authenticated users to be able to call
- each user in the developer portal can create some kind of “application” that is granted certain scopes to the api
- a token is generated in the user interface for each of these applications that the developer can put into their serverside apps to call the api
- these tokens can be expired or deleted in case they are compromised
The way I was thinking of implementing it was as follows:
- a web application for developer portal
- an api with developer portal allowed as machine-to-machine application
- when the user creates a new “application” in the portal, I create a refresh token for the api on behalf of that user and display it as “token”
- the token can be revoked since it is a refresh_token
- when the user wants to call the api they first get an access_token using the refresh_token and can then make api calls until the access_token expires at which point they need to get another one
So far the only part I am having trouble with is to generate the refresh token for api access on behalf of the user. The oauth/token endpoint does not return a refresh_token as per spec.
Is there a better way to implement this flow?