As most companies would, we have multiple client apps and multiple servers.
Some of those clients need access to more than one server.
We need a flow that allows users to auth once from which we get an AccessToken that we can supply to the relevant servers.
The natural way to do that is to provide multiple audiences with the auth request so that the auth token contains multiple audiences.
I have read the other posts on here which indicate that this isn’t possible with Auth0, because … not interested … not implemented … not something.
The stated workaround in Auth0 is to create an UberApi and then use scopes within that API to partition access to each of the APIs that it represents.
The problems with this approach are that:
-
Scopes are there to limit an application’s access to user data. Audiences are there to limit a user’s access to a server resource.
-
Using scopes in this manner means that you need bespoke code in each server that decodes the token and parses it for specific scope(s). Introducing code complexity and error for a simple cross cut.
-
Taking this to its logical conclusion means that you would have a single Audience for all your server resources and within that Audience you would have a custom scope for every server resource that you expose. Which would totally defat the whole API/audience concept in the first place.
So my questions are:
-
Why does Auth0 not cater for multiple audiences in an access token when the OAuth spec clearly allows for it?
-
When will Auth0 implement multiple audiences in an access token?