OAuth Flow Selection when a server is used for a standard web app and an API

Hi all!

I am building Multi-Tenant B2B SaaS applications, and recently discovered the power of Auth0. It has, however, raised some questions that I was hoping the community could help with. These may seem trivial, I apologize if they are. I’m fairly new to this, but think that I have started to grasp some of the concepts.

To quickly explain my use case: I am building many services (think microservices), and these services will expose API’s that can be accessed through authorized Single Page Applications and/or Machine to Machine applications. Additionally, these same services will have standard Web App functionality, such that an Admin can navigate to the service’s url and perform administrative actions.

It is my understanding that for the API use case (lets assume just from an SPA for now), I will need to implement the Authorization Code Flow with PKCE. In the case of the standard web app functionality, Authorization Code Flow is necessary. Is my understanding correct here?

Further, I’d like to know if there is one SDK that can handle both flows on the server side. In the quickstart guides provided by the Auth0 documentation, Authlib is used server side for the code flow without PKCE (web app), but a bit of custom code is used for the API implementation (with PKCE). Is Authlib capable of handling PKCE related flows? Or is it necessary to implement the custom code for the API resources, and utilize Authlib separately? To this point, i’ve not really found any information regarding PKCE in Authlib’s documentation.

Additionally, if my thinking is entirely wrong here, or im doing something completely stupid, I’m open to hearing those suggestions too.

Thanks in advance for any help.


Edit: I’d just like to add that I have no problem implementing the two solutions separately. I’m more just trying to understand best practice here, and keep my code as clean and maintainable as possible.

Hi @brady

I would suggest separating the API functionality from the “webapp backend” functionality.

Normally, webapp backend functionality is handled via an app session (see this page https://auth0.com/docs/sessions-and-cookies) and not via an access token.

Your design will be cleaner if you separate this out.



Thanks for the advice, John!


We’re here for you Brady!