Single M2M app to give access to API to many users

We are using Auth0 with the Authorization code flow for our SPA. Now we want to share access to our API with many clients in an “API keys” style without having to log in or use the refresh token. We have read extensively about the Client Credentials flow and M2M apps. It seems to be the answer, however, we do not want to do programmatic deployments of M2M applications for each of our clients.

Is there any way in which we could achieve this “API keys” functionality and still identify the users/clients with only one M2M application? Any suggestion is welcome

Hi @erickrhein

You must have one app per client. This isn’t hard though, when you onboard a client, part of that should include a small script that generates the M2M application via the management API and securely delivers the client ID and secret.

John

Is there no other alternative? For instance to create users inside the single M2M application and they all have different credentials but the same permissions as they would be granted to the whole application?

Hi @erickrhein

There are other alternatives, fairly complex. For example, you can implement an API for your clients to use, the API has a single client ID/secret, but you take on the responsibility of dealing with multiple callers. Auth0 Professional Services may be of interest to you:

John

1. Let’s say one client has 3 API users for our API. Is there any straightforward way to create different credentials and permissions for all 3 of them? The approach you suggested of one app per client would mean 3 apps here, right? From a business side they are all the same client, same organization.

2. Also, other features I explored so far like Auth0 Actions will not help much in M2M applications since there is no clear way to identify a user but rather you identify the entire client application. Correct?

3. RBAC seems not relevant for our use case. I guess my question is, is there a way to identify users inside an M2M application? With these we could give them different permissions.

Hi @erickrhein

Client Credentials/M2M is ONLY for an application. There is no user involved in this flow.

You may be interested in our organizations feature: Auth0 Organizations

Professional Services has a discovery package: we will meet with you, discuss your use case, and present you with an architecture to use for your implementation. You have a lot of moving parts, and it would be very beneficial.

John

So we have rethought our requirements and will go for the programatic deployment of M2M apps with a script as you suggest. We will develop a CLI to create users, M2M apps and organizations. It seems the linking between users-organizations is 1 to many.

1.Not cross tenant tho, correct? Meaning for the dev tenant and the production tenant I would need a dev-organization and prod-organization?

2. Also, seems that the organizations cannot be linked to an M2M apps? The limitations explain that client credentials are not supported. One way to keep track of these apps would be to call them exactly the same name as the organization since they cannot be linked to any. Is there any more sophisticated way to link an M2M to an organization? Specifically we want to do it with the management API in a function of our CLI

Thank you for your help, it has been very apprieciated