We have an API we expose through one or more machine-to-machine applications where each application has different access rights to the API. This is working perfectly and it is mainly intended for 3rd party developers.
We also have some minor C# applications/Excel add-ins/etc. that uses the same API. This is intended for non-developers which can also benefit from the features of the API. We want users of these minor applications to login using Auth0 e-mail/password verification. We have created a native application and followed the instructions in the “quick start” section to show users the Auth0 login dialog. This also works perfectly and the user is authenticated.
We would like to be able to give these users various access rights to the API and let their access token be passed to the API authentication (instead of just using a token from a machine-to-machine application). This would allow us full and detailed monitoring of all access to the API, right down to individual users of one of our minor applications.
Is this possible and if so how?
By the way, we have also installed the “Authorization Extension” where you can create permissions/roles/etc, but these are not easily mapped to the API scopes. That is secondary question however, as first we would like the users access token to be valid for the API authentication.
It is similar to this question 7473, though the “interesting” part was never answered.
Thanks in advance.