We are working on a POC to authorize 1st party and 3rd party APIs using Auth0; Our implementation, following the documentation here: Rails API Authorization By Example, requires making a request to the authorization server with client_id, client_secret and audience_id, receiving a jwt token back and using that token to make a request to our protected service API.
The above approach works, but we have one other use case that is not represented:
We have a couple of external services that use webhooks to call APIs in our service (Easypost is one of them for example, which triggers a webhook that makes an API call to a tracking API on our system to update the tracking info). Based on their webhook configuration, they only allow basic authentication or HMAC validation: API Docs - EasyPost. For this use case, we were thinking of using Auth0 actions (previously rules) to make a call to the authorization server from the webhook interface and based on the audience ID have an action that will make the call to the internal API after the authorization is successful with the jwt token returned. Is this the proper approach to handle this use case or is there a better option?