Fair warning: I’m out of my element here after some unfortunate layoffs in these parts, but I’m hoping Auth0 will make this possible.
Here’s the simplified relationship I’m trying to establish: We host a JSON object repository ® which allows any unknown application (A) to “register” and then save any object. There are a few tangles:
- When a new A registers, R creates a public object representing A to the public, which I think I need to store the location of in Auth0’s record for A;
- All A’s interactions with R are server to server—even if A has a front-end, calls to R must be proxied through;
- R writes a private property onto the object to be stored, which should be a trusted location of the public A object.
At first pass, I thought each new A would be a User in my Client for R. I created a rule that POSTed the public object, read the response, and wrote the URL into
app_metadata.agent on the User. This worked until I tried to imagine how a User (someone’s A) would get an
access_token without a web interface. That is, the human user of A does not need to be known to R at all; only A itself needs to authenticate (and so “login” or “getToken” or something) from its own backend (Java, Node, what-have-you) and then pass a token to R with the actions it is attempting. Then, I reasoned, R would always
getUserInfo/TOKENand write the value of
user.app_metadata.agentinto the object before saving it (also confirming that the requestor is authorized, by the way). Alas, I cannot find a back-end way to “login” as a User-cum-application.
So, I thought, I could use the dynamic client thing which would give me access to all points of the API and solved that issue, except now I don’t know how the
app_metadata.agentvalue could be recorded somewhere behind authentication reliably.
Is this impossible? Do I need a web interface for the developer to get an
access_tokenand then manually plug it into their code and trust them to update it whenever it expires?
What am I missing? It must be so basic.