We have an MVC project and need to expose a local API within the same project, placing it in a designated area. The goal is for a third-party client to request an endpoint in our local API, which will then redirect to our Identity Server for authentication. Upon successful login, the user will be redirected to a callback endpoint, which will be authorized and responsible for issuing a cookie. After acquiring the token, we aim to issue a cookie and return it to the third-party client.
Additionally, the third-party client should have the flexibility to make requests to both MVC controllers and the API. Since our business logic is extensive, we must support both approaches while gradually exposing all functionalities via the API.
However, we need a mechanism to predefine and authenticate the third-party client before granting access. What would be the best approach to achieve this?
What i would recommend for your use case would be creating a Machine to Machine application to secure and manage your API within Auth0 and implement the Client Credentials Grant Flow. The 3rd party client will be able authenticate by making a request to the authorization header, sending the client ID and the client secret, along with other claims in order to get the access token and access the intended resource.
Information on how to set up the machine to machine application in the Auth0 Dashboard can be found under our documentation, while to integrate this from your backend you can also check our quickstart options.
Thank you for posting your inquiry and if you have further questions feel free to leave them here.
Best regards,
Remus
We don’t want to expose our client secret to third party. Actually we want to use an approach similar to BFF. Third part make request to our API, the API’s make internal request to identity server, the user signin then identity server make callback request to our API’s endpoint which is authorizing and triggering setting of cookie in response with all claims etc…
The problem is that when we return cookie to the third part, we want to constrain that only one third part can pass cookies for both ways, I mean MVC controller and API endpoints.
Since you do not want to provide the client secret to the 3rd party client the most suitable approach for your use case would be using the Authorization Code Flow with Proof Key for Code Exchange (PKCE), which will follow the exact schema you have described above. You can set up Auth0 as a proxy between your API and the external Idp, so after successful authentication Auth0 exchanges the ID token and issues new tokens, so that your local API using PKCE can exchange the code for an access token.
Then in order to ensure that only that particular 3rd party email client is approved for making this requests, the cookies have to be secured and domain restricted in your application, such as by using the Cross-Origin Resource Sharing method by setting the samesite paramater to none. More information on CORS can also be found under the Auth0 Blog.