I’ve been browsing through the Auth0 docs and have hit a snag on getting the information I need.
I have an API that I’d like users to require to register to use (Auth0). After they’ve registered, they’re provided with a set of credentials (oauth client_id and secret?), which can then be used to generate an id_token that I can validate on my API.
This sounds like the norm to me, but am having trouble finding the correct docs on how to implement this with Auth0.
There are a couple of things worth pointing out. ID tokens are not meant to be continuously sent to an API as means to authorize requests; they are meant to give you information about the user that just completed an authentication process according to OpenID connect. If that authentication also happened as part of an OAuth2 authorization transaction then an access token would also be issued and this token would indeed be suitable to use for making authorized requested to the associated resource server (aka API) on behalf of the end-user.
In addition to that and in general the above flows are coordinated by a client application so it’s not the actual end-user making the raw requests, but instead it’s a client application that will obtain the access token and then make the requests to the API. If you have a client application that can be used to drive these requests then the exact flow that would be used will depend on the client application characteristics. See: Which OAuth 2.0 flow should I use?
On the other hand if you want to give direct access to the API for end-users the exact recommendation would depend on all the details. Among others, are those registered end-users developers or just tech-savvy? Do they authenticate only with database connections (custom username/password) or do they use other methods like social authentication?