Is there any way to authorize requests from two separate Client credentials in a single API

We have two applications (windows service). These applications are accessing a custom standalone web API. Our requirement is, these two applications needs to be authorized while calling the Web API methods. App1 calls API_Method1() and App2 calls API_Method2(). Auth0 client credentials flow is used for this purpose. Separate client credentials has been configured for these two applications.

Authorization flow is as below.

Client application calls Auth0 token endpoint (by providing ClientId & secret).
Client application receives token.
Client application invokes Web API method and passes token along with.
Web API validates token and executes method.

For implementing Authorization (using Microsoft.AspNetCore.Authentication.JwtBearer), we have to configure Authority and Audience. Authority is same for both. But since Audience is different for each and configuration is done on API startup, API can be configured to authorize only one of the applications.

Is there any way to authorize requests from two separate Client credentials in a single API.

Hi @anju.gopinath,

Welcome to the Auth0 Community!

If I understand your questions correctly, you have two clients (application A, application B) that are trying to access resources from a single resource server (API).

In this type of setup, you would generally have a set of client credentials for each application (2 sets total). These apps would request tokens for your API and in those requests, they would include the API identifier as the audience parameter.

This means you would only have a single audience parameter that the API should be validating in the tokens. Effectively, the single API is the audience for the tokens, regardless of which app it is coming from.

Apologies, I am not an expert on ASP . NET, so I may be missing something here.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.