I have an existing tenant that accommodates a back-end API, a passwordless mobile app and username-password web app.
I want to create a new web app that will also have a passwordless authentication method. This new application is to serve a completely different class of users, but it is my intention that the new app will continue to use the same backend API and database (and resource-server abstraction via Auth0). (Even if we were to implement a backend-for-frontend pattern and introduce an additional API, the two APIs would still need machine-to-machine auth between two different tenants.)
What is the best way to architect and implement this solution?
So… in case it can be helpful to anyone else, I am posting my solution/hack to this below:
The way I got around the limitation of only being able to have one passwordless app per tenant (or more precisely: one “type” of user per tenant accessing passwordless apps) was to create a new tenant containing the new passwordless app and an identically named audience (and resource server). This meant that in my backend (Java/Spring Boot) I was able to write some logic that looks at the issuer URI (essentially the tenant URL) to be able to know which tenant the access token has been issued by, and still permit accessing the resources (allowing the request to continue) because the audience value for resource server is the same.
Essentially, I now have two resource server abstractions with the same audience value, but only one physical resource server (my Java/Spring Boot application).
It has been a while since I actually implemented this, so I can’t fully remember if at any point I fully understood how much of this issue was specific to Spring Security and how much is generic workaround for Auth0 tenants, but I thought it useful to provide, regardless.