We are using Auth0 with the Authorization code flow for our SPA. Now we want to share access to our API with many clients in an “API keys” style without having to log in or use the refresh token. We have read extensively about the Client Credentials flow and M2M apps. It seems to be the answer, however, we do not want to do programmatic deployments of M2M applications for each of our clients.
Is there any way in which we could achieve this “API keys” functionality and still identify the users/clients with only one M2M application? Any suggestion is welcome
You must have one app per client. This isn’t hard though, when you onboard a client, part of that should include a small script that generates the M2M application via the management API and securely delivers the client ID and secret.
Is there no other alternative? For instance to create users inside the single M2M application and they all have different credentials but the same permissions as they would be granted to the whole application?
There are other alternatives, fairly complex. For example, you can implement an API for your clients to use, the API has a single client ID/secret, but you take on the responsibility of dealing with multiple callers. Auth0 Professional Services may be of interest to you:
Client Credentials/M2M is ONLY for an application. There is no user involved in this flow.
You may be interested in our organizations feature: Auth0 Organizations
Professional Services has a discovery package: we will meet with you, discuss your use case, and present you with an architecture to use for your implementation. You have a lot of moving parts, and it would be very beneficial.
So we have rethought our requirements and will go for the programatic deployment of M2M apps with a script as you suggest. We will develop a CLI to create users, M2M apps and organizations. It seems the linking between users-organizations is 1 to many.
1.Not cross tenant tho, correct? Meaning for the dev tenant and the production tenant I would need a dev-organization and prod-organization?
- Also, seems that the organizations cannot be linked to an M2M apps? The limitations explain that client credentials are not supported. One way to keep track of these apps would be to call them exactly the same name as the organization since they cannot be linked to any. Is there any more sophisticated way to link an M2M to an organization? Specifically we want to do it with the management API in a function of our CLI
Thank you for your help, it has been very apprieciated