In general, you’ll require a separate client application record to represent each of your independent applications in order to have specific OAuth2 configuration. For example, a traditional web application
web.example.com would have its own record in order to have OAuth2 configuration specific to a confidential client. If you also had a SPA at
spa.example.com you would have another client application record so that now you would have OAuth2 configuration specific to a public client.
In essence, the most common cause for needing to have individual client application records would be so that they could have distinct OAuth2 configurations. However, there may be other reasons to separate, for example, if the same exact software is deployed at
bar.test purely for cosmetic (UI customization) reasons, but the control of each deploy is granted to different third-parties then you will most likely also want to have separate client application from the perspective of OAuth2. On the other hand, the same two deploy scenario where control is solely within a single party could possibly use a common client application configuration for both deploys.
In conclusion, the exact cases that warrant distinct client application are somewhat specific to all the small details of your particular situation, however, in general you’ll want to have individual client application when:
- the underlying applications require different OAuth2 configuration (for example, the public vs confidential clients case).
- the control of the underlying application is granted to multiple external parties (in this case you’ll also want to ensure that the client application in Auth0 is not marked as a first-party application).
- you prefer to have a more clear separation between your own view of the same application (for example, easier log analysis by using different client application records for each mobile operating system).