We have a bunch of different 3rd party services that are linked directly to our AzureAD for SSO. We’d like to move these services to use Auth0 instead.
We have the AzureAD setup in Auth0, and it works great. The question is: should we make an application for each individual 3rd party service, or can we make a single application, and use the same client ID (etc.) for all the services.
While I have a feeling that the former is the correct way to do it (and I’d be satisfied with that as answer), but I’m curious about the drawbacks of the latter approach - what security or administration risks would be involved, etc.?
I’d recommend creating a separate application for each 3rd party, this would give you greater control over managing what each party can do and make it easier to further extend flows with Rules or Actions that are different for each.
Especially so if you are using a flow that requires the 3rd party to know your client secret in order to authenticate; as if one party leaks that secret, it has compromised the others if they share the same application/client.