Multiple Auth0 APIs

Hello,

I have a single Auth0 application that will be assigned scopes when requesting an access token. The machines requesting this token will all use the same client id and secret from the application. The only difference is the Auth0 API audience - there will be a different Auth0 API for each machine requesting the token. Is this the proper way to assign scopes on the access token?

Or, should each machine use a different Auth0 application (with different client ids and secrets) and be granted an access token using a single Auth0 API (audience)? Is one more secure than the other?

Hi @mmbmf1

I need a different type of info to help with this. You are providing the implementation details. But I need the overall use case. What does a machine represent? Is there a user involved? What happens if one machine tries to impersonate another?

John

1 Like

Hi, @john.gateley thanks for reaching out.

A machine, in this case, represents a customer using their API to request an access token to hit our endpoint. There are multiple customers that would need a token with different scopes. There are no users that would login.

What happens if one machine tries to impersonate another?

Not exactly sure what you mean, but I think this is what I am asking. If each customer have the same client id and client secret, and only a unique audience when requesting a token, would it be easier for impersonation?

Thanks again!

Hi @mmbmf1

So, with no users to log in, this is the client credentials flow.

Instead of scopes, each of your customers need their own client credentials application, which gives them their own client ID and secret.

You should NOT have customers sharing client IDs and secrets.

John

2 Likes

Hey @john.gateley,

Thanks for the follow-up and clarification!

1 Like

We are here for you!

1 Like