Hello,
We integrated Auth0 at our organization but I’m facing a problem when authorizing applications that consume multiple APIs. I created an initial ticket here: React SDK with multiple audiences and refresh tokens - #4 by jonas.pauthier. It was advised to use logical APIs to solve such problem.
To best describe our use-case here is an example, we have 3 APIs: API-1, API-2 and API-3. We also have 2 apps: App-A and App-B.
App-A contacts API-1 and API-2.
App-B contacts API-2 and API-3.
Following the usage of logical APIs in Auth0 (let’s identify them as L-API), we’d create one L-API-1 for API-1 and API-2, another one L-API-2 for API-2 and API-3. It means API-2 needs to validate access tokens with aud=L-API-1 and aud=L-API-2. Is this a problem for an API to accept access tokens from multiple audiences?
Following this article: Validate Access Tokens I guess it would be ok. Only problem I foresee is when using @auth0/nextjs-auth0 SDK for example which seems to accept only one domain. I guess we’d have to validate access tokens in API endpoints ourselves if they need to be contact by multiple apps. Is that a fair assumption?
Thank you.