Multiple Apps, Single API, mixed oauth flows

sjungers · January 25, 2021, 4:25pm

Hi, I’m trying to work through the documentation to set up our authorization architecture, and I’m struggling to figure out which of these options will be best.

We have 2 applications that currently share the same client information. They are both MVC applications and use OIDC + authorization_code flow.

We recently introduced a separate API that these applications will be called and is secured with RBAC (but we are currently not using the authorization extension in Auth0).

We are also introducing a new SPA that handles the administration of the new SPA + provides some APIs for the 2 existing applications to call.

Requirements are:

I can use machine-to-machine authorization to call the API with the right roles (scopes)
If an end-user is logged into one of the apps, the application can make the appropriate calls to the API with the roles the user has (we’re currently passing the user’s token through, I’m not sure if that’s right, though).
The user logged into the spa can call the APIs to administer the data for that application.

We started with a single API definition in Auth0 + a single application/client definition in Auth0, but users were forced to authorize the app in the SPA when they weren’t in the MVC apps. This is all a bit complicated, and I’m not sure if it makes sense to do it this way.

Any help would be greatly appreciated.

dan.woda · January 25, 2021, 8:45pm

Hi @sjungers,

You should register each app separately (different client id/secret). Let’s say we have a regular web app for admin, a web app for employees, and a SPA for customers. Those would require you set up three different applications/clients in Auth0. Then, if they all send requests to the same API, you would register a single API with Auth0.

You also might want to set up a machine to machine application.

These docs might also help, although they use some outdated flows and SDKs.

sjungers · January 25, 2021, 8:58pm

Thanks for the response @dan.woda. So, that’s the approach I was heading towards, but what I’m not sure about is how to do the token validation in the API. We’re using jwt for the access token, and I’m assuming we will want to do audience and signature validation in the API to ensure the token hasn’t been tampered with, right? How can I do that if each application uses a different client-id, client-secret? Would switching to RS256 instead of HS256 allow multiple apps to access the same API?

Sorry, I’ve been so deep in the docs that my eyes are going crossed. Every time I feel like I understand the solution, I come up with a different concern.

dan.woda · January 25, 2021, 10:07pm

You won’t be able to user symmetric algos in a client side app. (i.e. you can’t use HS256 in a SPA).

Here is a good post that breaks it down:

In short: yes, you will need to use RS 256.

system · February 9, 2021, 9:06pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.