Providing 3rd party integrations within a Multi-tenant environment using applications

Hi,

We selected the Multi-tenant by application approach. So for each tenant we have created a unique auth0 application. Now we want to allow 3rd parties to integrate with our public API.

One approach is to generate a unique application per 3rd party per tenant, and give the 3rd party the client_id and client_secret. The 3rd part can simply make client_credential exchanges with auth0 to access the public API.

Is there an approach where we could give the 3rd party a single application for all tenants, and allow the end user to consent to that 3rd party having access to their tenant? That way each tenant does not need to generate a new client secret for each integration they make?

Hi @calvin2,

It is hard to answer your question without some more details. A couple of points of clarification:
how many Auth0 tenants do you have? Why do you have a multi-tenant architecture?
Are you suggesting using client credentials to allow 3 party apps to access end user data? That is not good, as an evil 3rd party (think disgruntled employee) could then access data for end users that did not give consent.
Without understanding the tenant architecture, I can’t answer your main question about applications.

John

Sorry for the confusion around multi-tenant.

We have one Auth0 Tenant for Production, we have many Auth0 Applications/Clients; one Auth0 Application per customer (the multi-tenant aspect). The client credential and secret are consumed by our backend systems alone (not shared).

To support a 3rd part application consuming our Public API’s, my current approach is to generate another Auth0 Application that is locked to that single customer with limited scopes. These credentials are then consumed by the third party. The customer has to generate this auth0 application and provide it to the third party.

The above approach means that we will generate one Auth0 application per customer (our application) and one Auth0 application per customer per third party integration. If a customer has three 3rd party integrations, then they will have 4 Auth0 applications.This may be excessive.

Since each customer has their own application, I am not sure if there is a better approach for allowing them to generate a token for a 3rd party.

1 Like

Hi Calvin,

At this time, I don’t have a better answer for you. Your approach is valid.

If you don’t mind, can you make a request here: Auth0: Secure access for everyone. But not just anyone.
with any ideas you have for improvement in this area (or any other)?

Thank you

John

By filing in a feature request through our product feedback form that John attached above you should be contacted by one of our product managers within 10 business days.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.