Hi everyone,
I’m building a customer API where they’ll be able to create orders, transactions, customers, etc.
We believe the way to go is to implement a M2M integration where our Application is called “Merchant API” and all of our customers can connect to it.
Ideally, I’d like to control access to that API on a per-customer and (ideally, but not necessary) on a per-merchant user basis. That way, each can have their own Client ID and Client Secret that they can use to authenticate into our system and have their own permissions.
How can I accomplish this? Any guidance is very much appreciated.
Thanks!
Alejandro
Hola @a.pinzon
That is one approach, and it works. You’ll need to create a “dashboard application” that you use that created a customer/merchant, which creates the application and somehow communicates the credentials (client ID/secret) to the customer. This latter part is hard.
The alternative approach is to have each customer/merchant register an account, and they log in to that account to get an access token. You’d need an app for them to log into with this approach.
John
We do have a dashboard that our customers can use.
By this do you mean creating an Application in Auth0 on a per customer/merchant basis?
I would’ve expected to have one single Auth0 application where all customers/merchants can authenticate to without having to create an Auth0 Application for them. Does this make sense?
What specific thing is hard about this just to make sure I understand?
Regarding your alternative approach, how would you do this if we already have a customer dashboard? Would we have to create a user with Username-Password-Authentication permissions and then generate Client ID and Client Secrets for them? I have no problem executing manual work for the first 6 months, so I can log into Auth0 and create users manually, but need to plan on scaling.
Thanks,
Alejandro
Hi Alejandro,
Normally, there is one application per customer/merchant. Your approach (sharing one application among all customers) is susceptible to information leakage: a customer may be able to use the API to get info (or set info) about a different customer.
Securely communicating credentials (passwords, client secrets) is hard. The communication channel must be secure.
The idea I am suggesting is to integrate Auth0 client/application creation as part of your customer onboarding process. I don’t know how your onboarding works, so I can’t do more than hint, but at some point a customer signs up, and that is when you should create the Auth0 client (via the management API).
John
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.