We have two applications (windows service). These applications are accessing a custom standalone web API. Our requirement is, these two applications needs to be authorized while calling the Web API methods. App1 calls API_Method1() and App2 calls API_Method2(). Auth0 client credentials flow is used for this purpose. Separate client credentials has been configured for these two applications.
Authorization flow is as below.
Client application calls Auth0 token endpoint (by providing ClientId & secret).
Client application receives token.
Client application invokes Web API method and passes token along with.
Web API validates token and executes method.
For implementing Authorization (using Microsoft.AspNetCore.Authentication.JwtBearer), we have to configure Authority and Audience. Authority is same for both. But since Audience is different for each and configuration is done on API startup, API can be configured to authorize only one of the applications.
Is there any way to authorize requests from two separate Client credentials in a single API.