I have an NodeJS/Express API hosted on azure and decided to secure it using Auth0 through the API Management service. I am trying to understand client configuration. For example, in APIM, I can configure OAuth 2.0. However, the documentation on both Auth0 and Microsoft indicate that when using grants, you are required to specify the client id and secret. Does this mean that I need to create a new client and map a new OAuth 2.0 entry in Azure for each new customer? Are there any best practices for managing clients. Do I treat clients as a type or an individual customer? For example, I have OEM customers that are white labeling my product. Do I create a new client for each OEM or do I create a client called “white-label”.
In general, you’ll require a separate client application record to represent each of your independent applications in order to have specific OAuth2 configuration. For example, a traditional web application web.example.com would have its own record in order to have OAuth2 configuration specific to a confidential client. If you also had a SPA at spa.example.com you would have another client application record so that now you would have OAuth2 configuration specific to a public client.
In essence, the most common cause for needing to have individual client application records would be so that they could have distinct OAuth2 configurations. However, there may be other reasons to separate, for example, if the same exact software is deployed at foo.test and bar.test purely for cosmetic (UI customization) reasons, but the control of each deploy is granted to different third-parties then you will most likely also want to have separate client application from the perspective of OAuth2. On the other hand, the same two deploy scenario where control is solely within a single party could possibly use a common client application configuration for both deploys.
In conclusion, the exact cases that warrant distinct client application are somewhat specific to all the small details of your particular situation, however, in general you’ll want to have individual client application when:
the underlying applications require different OAuth2 configuration (for example, the public vs confidential clients case).
the control of the underlying application is granted to multiple external parties (in this case you’ll also want to ensure that the client application in Auth0 is not marked as a first-party application).
you prefer to have a more clear separation between your own view of the same application (for example, easier log analysis by using different client application records for each mobile operating system).