We selected the Multi-tenant by application approach. So for each tenant we have created a unique auth0 application. Now we want to allow 3rd parties to integrate with our public API.
One approach is to generate a unique application per 3rd party per tenant, and give the 3rd party the client_id and client_secret. The 3rd part can simply make client_credential exchanges with auth0 to access the public API.
Is there an approach where we could give the 3rd party a single application for all tenants, and allow the end user to consent to that 3rd party having access to their tenant? That way each tenant does not need to generate a new client secret for each integration they make?
It is hard to answer your question without some more details. A couple of points of clarification:
how many Auth0 tenants do you have? Why do you have a multi-tenant architecture?
Are you suggesting using client credentials to allow 3 party apps to access end user data? That is not good, as an evil 3rd party (think disgruntled employee) could then access data for end users that did not give consent.
Without understanding the tenant architecture, I can’t answer your main question about applications.
We have one Auth0 Tenant for Production, we have many Auth0 Applications/Clients; one Auth0 Application per customer (the multi-tenant aspect). The client credential and secret are consumed by our backend systems alone (not shared).
To support a 3rd part application consuming our Public API’s, my current approach is to generate another Auth0 Application that is locked to that single customer with limited scopes. These credentials are then consumed by the third party. The customer has to generate this auth0 application and provide it to the third party.
The above approach means that we will generate one Auth0 application per customer (our application) and one Auth0 application per customer per third party integration. If a customer has three 3rd party integrations, then they will have 4 Auth0 applications.This may be excessive.
Since each customer has their own application, I am not sure if there is a better approach for allowing them to generate a token for a 3rd party.
By filing in a feature request through our product feedback form that John attached above you should be contacted by one of our product managers within 10 business days.