Feature:
Tens of thousands of client credentials for a single M2M application for an API
Description:
We have a scenario where multiple of our APIs need to be securely accessed by tens of thousands of clients. Rather than using a M2M authentication flow like Client Credentials to authenticate each client we are using the Resource Owner Password Grant flow with our API. Auth0 support advised there would be UI performance impacts and operational overheads for managing these thousands of application client credentials using an M2M flow, and instead advised to use ROPG where each client is modelled as a user account.
With M2M applications there is a current limitation of 2-4 max credentials per application, ideally we would like a mechanism to support many clients using Client Credentials Grant flow rather than the deprecated ROPG flow. We currently enrol user accounts via the Auth0 APIs to support management of these client user accounts, and would like to do the same for client creds; but the concern is mainly a nice way to manage thousands of clients creds on a single application.
Open to suggestions on how this could be implemented, be it Auth0 managed credentials or using an external CA\LDAP server to help with managing all the certificates.
Use-case:
We have an API that is used by a number of platform clients, and each platform client is used by thousands of merchants, in this scenario we have tens of thousands of merchants that need to access the API, each using their own M2M credential. Due to performance issues with the UI we are using user accounts to model client credentials via ROPG, in the long term we would like to transition to a scalable and supported authentication flow rather than the deprecated ROPG.