My team is currently thinking about migrating a couple of our existing APIs to use OAuth2 through Auth0, and I wanted to understand what a good way to organize the resources in Auth0 to achieve this would be.
A little background: Currently we have one API gateway where our various APIs live behind. Our APIs are machine to machine APIs, and they are built and maintained by different teams. Our customers’ machines calls the API, and the gateway routes the traffic accordingly.
So when trying to move and adopt OAuth2 through Auth0, I was thinking that we can have the following setup:
- One Auth0-API where the different permissions of our various APIs are handled together.
- One Auth0-Application/Client for each of our customer. Since we are M2M I think I need to use the client credentials flow, and to distinguish one customer from another I would need unique Auth0-application/client here instead of Auth0-organizations? Is my understanding correct?
- Each of the Auth0-application would be configured with their own permissions for the one Auth0-API.
Does this seem like a reasonable approach? Are there other approaches in people’s experiences that worked for them?