Hi @yaron.relevy,
Thank you for joining the Auth0 Community and asking your question.
If I correctly understand, your question is about calling your own API, not a third-party one, right?
In my opinion, you have two options:
- stick with the standards (OIDC and OAuth) and deal with your first-party API as if it were a third-party API.
- Implement your own authorization mechanism.
Actually, you may be tempted by a third option, which mixes the previous two, i.e., attempting to use the standards in a not proper way.
The point is that if you want to use a standard framework like OIDC and OAuth, you should stick with it and with its prescriptions. But OAuth was designed for accessing third-party APIs. If you want to use it in a first-party scenario, you may feel things redundant (access tokens? scopes?) and you may attempt to change the initial meaning and scope of an artifact (e.g., using an ID token for authorization purposes). Actually, you are customizing the standard for your own needs, so you have to take care of the many aspects that may arise from the not proper use of the standard, security in the first place.
Regarding the other questions, “do I must to protect each resource in my IDP side? must the IDP know every API I uses?”, again, it depends on your needs.
You are not obligated to protect each resource with an IDP if you don’t want. You may use just OIDC for authentication and build your own authorization mechanism. In the end, it’s a matter of convenience in terms of the infrastructure you need to set up, the code you need to write, the time you want to invest in building what you need.
I hope this helps.