Hi,
I am generating auth0 applications for each of my users, giving them the client id/secret and allowing them to authenticate from their web-servers (M2M use-case).
There are two problems already discussed in the forums related to this:
- Rate limit of the auth/token end-point and not being able to force my users to cache access tokens
- Increased network calls (to generate the access token) and latency for my users’ web servers
To solve the above, I am thinking: the user includes their client id/secret along every request to my APIs, in the headers for example: “Authorization: Bearer {client_id}:{client_secret}” and I handle fetching access tokens, checking them and caching them on my back-end.
I have not seen other APIs do something like this, so I am obviously concerned with the security or practicality of this approach and I would appreciate any feedback or insights into this.
Thanks!