Restrict first-party clients to specific APIs


  1. Multiple first-party clients are configured with different valid callback URLs. Say FP-Client-A, FP-Client-B, FP-Client-C, each with a different set of callback URLs.
  2. We have multiple APIs. Say, API-X, API-Y, API-Z.
  3. All APIs are for first-party use at this time. Users should never be asked for consent when requesting access token for these APIs.
  4. However, clients should only be able to get access tokens for specific APIs. ie, FP-Client-A is allowed access to API-X, but no others. FP-Client-C is allowed access to API-X, API-Y, and API-Z. FP-Client-B is allowed access to none of these APIs (only identity).

How do I accomplish this?

The goal is to ensure that a developer (or attack) with only access to FP-Client-A from getting tokens for anything other than API-X. ie, limit the scope of any attack, whether coming from an internal or external entity.

Assuming that all entities are within the same Auth0 tenant/domain then to my knowledge the only possible way to achieve that goal at this time would be through the use of a rule that would reject an authentication/authorization request if the request asked for an access token associated with your custom API’s and the requesting client is not authorized to interact with that API.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.