Hey, implementation/architecture question regarding the use of Client Credentials:
My company has a webapp that has our users authenticate through Auth0, and a JWT is returned and stored for each user that logs in with a valid username/password combo. This webapp is configured in Auth0 as an Application of type “Regular Web Application” and has a Client ID and Client Secret associated with it.
We pass the generated JWT in the Authentication header of requests we make to our API for authentication on our users’ behalf. The authentication library requires the Client ID and Client Secret for the Auth0 Application, and given a valid JWT from the first step, will successfully authenticate the user into our API. There is no config for this API anywhere in the APIs screen of Auth0 (which has been working for us for years).
We have a new request to authenticate into this API server-to-server (instead of providing a username/password). I am hoping to generate JWTs on the servers, and pass the generated JWT as we do for requests from users. I am probably misunderstanding the docs, but it seems like we want to use Client Credentials—but when I generate JWTs using the Client Credentials the authentication into our endpoint is unsuccessful. I don’t think I want to create an API in Auth0 for this purpose, right?
In the meantime I’m going to create a username-password combo for the server, and authenticate that way. I would prefer to do this properly, and I looking forward to receiving advice.
Thanks in advance,
Jonny