Logical APIs with shared services and multiple applications


We integrated Auth0 at our organization but I’m facing a problem when authorizing applications that consume multiple APIs. I created an initial ticket here: React SDK with multiple audiences and refresh tokens - #4 by jonas.pauthier. It was advised to use logical APIs to solve such problem.

To best describe our use-case here is an example, we have 3 APIs: API-1, API-2 and API-3. We also have 2 apps: App-A and App-B.
App-A contacts API-1 and API-2.
App-B contacts API-2 and API-3.
Following the usage of logical APIs in Auth0 (let’s identify them as L-API), we’d create one L-API-1 for API-1 and API-2, another one L-API-2 for API-2 and API-3. It means API-2 needs to validate access tokens with aud=L-API-1 and aud=L-API-2. Is this a problem for an API to accept access tokens from multiple audiences?

Following this article: Validate Access Tokens I guess it would be ok. Only problem I foresee is when using @auth0/nextjs-auth0 SDK for example which seems to accept only one domain. I guess we’d have to validate access tokens in API endpoints ourselves if they need to be contact by multiple apps. Is that a fair assumption?

Thank you.

Another solution would be also to use one logical API for all services and applications. We’d lose the ability to restrict from audience though but we could still restrict access based on permissions. Do you see a problem with that or the previous solution?