Testing Auth0 as a possible solution for us, but I am struggling to make heads or tails out of all the documents and videos.
- We have a non-interactive REST API running on an ASP.NET server.
- The REST server will be accessed from various native apps and possible web services from other businesses.
- Any number of businesses can access the REST server. We need to be able to revoke permissions for an entire business easily.
- Each business can have a list of users that can access the REST server so we need to know which user belongs to which business, and what roles/permissions each user has. If the business access is revoked then the user access should fail as well.
- The REST API server access a centralized database so it is crucial that each business can only access data they own, and for this each business has a unique account ID. We need to be able to read this account ID from the authentication token.
How do I set up and use Auth0 to enable this scenario?
I have been trying for days playing with different options and seem to be going around in circles at the moment. I tried the authorization extension but it does not allow roles or permissions for a non-interactive API flow. Also, there seems to be no way to associate a user with a business.