I am trying my best to fully understand the relationship between Applications, APIs, Audience, and Scopes within the world of Auth0 and oauth 2.0.
I think the best way to illustrate the relationships is through an example. Let’s say I have a service topology for the following system
1 Application to many APIs
www.foo.com is the Application that services a SPA and is backed by 2 APIs, bar.foo.com and baz.foo.com
In this scenario, I thought I would create a single Auth0 application, and 2 APIs, each with their own audience. However, it appears that Auth0 (and oauth 2.0) only allows a single audience to be set during a flow, so an Application has a 1-1 mapping to an API.
The problem I have with this is you can go to an API in the Auth0 portal and go to the Machine to Machine Applications
and Authorize the 1 Application. It seems confusing to be able to allow somethign called an API to Authorize multiple Applications or many APIs Authorize the same Application, yet the “audience” can only be set to a single URI.
If I were to define the terms Application and API myself, I would probably define them as follows:
Application - the logical authentication boundary in which a user’s authentication context can span.
API - like an Application, an API is not a single physical instance of an API, but a logical grouping of services that present APIs that can be authenticated against using a single authentication context. This means my 2 APIs from my scenario would both really use the same API and therefore have the same audience
value. This audience
value wouldn’t be bar.foo.com
OR baz.foo.com
, but rather something like api.foo.com
which doesn’t actually exist, but is just an “identifier” of my logical grouping of API services.
By the above, I basically mean that an Application isn’t a physical app, but really any number of apps that can be treated as a single authentication context. This means that a user can authenticate against the Application and bounce around to the different physical apps (nodejs, .NET Core, rails, etc) and hit different APIs all without having to re-login.
With that said, what is the point in validating the audiences? What is a scenario where you would have different Audiences (e.g. different Application with a different ClientID, ClientSecret, etc), but that Audience needs to be validated? If the Audience is different than isn’t the Application different as well? And if the Application is different that means the ClientId is different as well, so why not just validate against the ClientId?
I’m failing to see the purpose in having Audience validation and would love to hear about an example/scenario where this would be useful. E.g. where the signed token verification passes, but Audience validation fails.
P.S. I did try reading the spec, but I don’t see how it relates to the terminology Auth0 uses to describe these concepts.
Thanks!