Hi, I’m trying to work through the documentation to set up our authorization architecture, and I’m struggling to figure out which of these options will be best.
We have 2 applications that currently share the same client information. They are both MVC applications and use OIDC + authorization_code flow.
We recently introduced a separate API that these applications will be called and is secured with RBAC (but we are currently not using the authorization extension in Auth0).
We are also introducing a new SPA that handles the administration of the new SPA + provides some APIs for the 2 existing applications to call.
- I can use machine-to-machine authorization to call the API with the right roles (scopes)
- If an end-user is logged into one of the apps, the application can make the appropriate calls to the API with the roles the user has (we’re currently passing the user’s token through, I’m not sure if that’s right, though).
- The user logged into the spa can call the APIs to administer the data for that application.
We started with a single API definition in Auth0 + a single application/client definition in Auth0, but users were forced to authorize the app in the SPA when they weren’t in the MVC apps. This is all a bit complicated, and I’m not sure if it makes sense to do it this way.
Any help would be greatly appreciated.