ID token between SP backend and integration platform

A question on intended use of OIDC id_token.

Imagine I have a user, browser, a SaaS, a middleware, a backend ERP system.
Note: SaaS is acting purely as a front-end serving application. Actual data is stored in backend ERP system.

user (browser) --(create address)–> SaaS --(send address)–> middleware --(send address)–> ERP

User logged in to this SaaS, received an id_token from IDP.
SaaS has some business logic for its specialised area
SaaS then send this address to middleware for storage in ERP

Question:

  • auth between browser and SaaS is with id_token
  • what’s recommended auth for SaaS and middleware (is it appropriate to use id_token) or a separate client credential flow to secure the API without having to worry about id_token
  • If we use client credential flow between SaaS and middleware, is there any issues (security, dev best practice) passing id_token to the middleware?

Hello @secq - welcome to the Auth0 Community!

In this case, I would recommend using an access token rather than an ID token. ID tokens are issued to be used within an application, and access token are issued to be used within an API (which, in this case, would be your middleware, which in turns contacts your ERP).

You would have to implement Auth0 in your middleware so that it can correctly validate the token and only accept requests with valid tokens. You could use:

  • The Authorization Code Flow in the SaaS, so that users can log in and obtain tokens
  • The users contact the SaaS using the access token from the Authorization Code Flow
  • The SaaS uses the Client Credentials flow in order to contact the middleware
  • The middleware validates the access tokens from the users
  • Your middleware could use the Client Credentials grant to obtain tokens to call the ERP on behalf of itself (since it’s a machine acting on behalf of itself)
  • The ERP validates the tokens from the middleware

Your use of the Client Credentials grant has to be careful because it’s designed to be used in a system where a machine (the SaaS) obtains a token so that it can use it for itself. In this case, the SaaS is calling the middleware on behalf of the SaaS (itself) and not the user, so you could use that. If you intend the SaaS to call the middleware on behalf of the user, you should use the user’s access token instead, where the SaaS is just the middleman between the user and the middleware, and the middleware is your API.

I know this is a lot to digest, so please, feel free to come back with any questions you might have.

Good luck implementing this - hopefully we can see it in the Show Your Auth0 section!