Hi, i realized the third party apps are less restrictive than first party:
all third party apps are allowed to use all the connections promoted to domain level. In opposite to the first party, where they specifically need to be activated to use each connection by adding “enabled_clients” to the connection list.
This is very undesired as im forced to promote the connection to allow a third party app to use it, but then it will be enabled to every 3rd party and i lose the fine-grained control.
A bit of debugging at the browser (using universal-login + Lock) shows the third party apps need to declare __useTenantInfo: true in order to get all the domain level connections, but this practice is actually bypassing the enabled_clients declared for every connection.
The first party apps expose an endpoint at https://cdn.auth0.com/client/<client_id> which returns all the client info, including the enabled connections.
Security wise, could i create a first-party app for a third party company using my connections and my APIs?
please clarify this on the docs, and provide a clear difference between these apps.
thanks for the help