I have a .NET WPF application that the user will log into using [PKCE - Proof Key for Code Exchange]. I’ve gathered this is the ideal flow to use. The application will then connect to a series of custom APIs some of which I have written and others I have not. The custom APIs I have written will also be authenticated using Auth0.
My questions are:
How do I obtain authorization to access the custom APIs I have written without asking the user to login again?
How do I obtain authorization to access the custom APIs I have NOT written without asking the user to login again?
How do I send ‘proof’ of the clients identity to the custom APIs?
You will need to make separate requests for each different API/audience. If more than one application share the same authorization server then the user will benefit from SSO (single sign on) and won’t have to enter credentials again. In Auth0, make sure you turn on the Seamless SSO option in the tenant Advanced Settings. If you don’t see that setting, it means that it’s already enabled by default.
If the authorization servers are different the user will necessarily see a login prompt (unless there’s an existing session in place) and possibly a consent dialog.
Having said that, if you are the one writing the APIs, it might be beneficial to design as one logical API, even if the actual implementation is composed of multiple separate services (possibly using different scopes for different parts of the API).
You don’t, really. Under the OAuth2 model, the “proof” is the access token, issued by the authorization server, showing that the user gave consent to the application to access the user’s protected resources. So the authorization comes in the form of the Access Token.
The JWT tokens issued by Auth0 will have the azp claim identifying the client application that requested the token, if it helps.