I have a SPA which is using Auth0 with Auth0 as the identity provider. I am building a CLI using which users would be able to automate tasks on our application. From what I understand, I should be using the Client Credentials Flow for this. Should I create a separate client application for each of my users? This doesn’t seem scalable.
Ideally I would want a long lived token which users can generate (and invalidate) from my SPA or generate a client ID and secret from my SPA (like the AWS CLI) and let users use that in the CLI to access the protected API.
What is the recommended way to go about doing this?
What flow you use is going to depend on whether you application is private or public.
If it is a secure private server where you are confident you can secure a secret than yes, you will use client credentials. A public application on the other hand, will not be a secure place to store a client secret.
Take a look here for our doc on how to secure a CLI, it covers both client credentials and auth code flow w/ pkce:
If you need to create and register a new application for each user, you can do so programmatically with the management API.
Does that help? I think you should be able to accomplish your goals with these resources, but please reach out with more questions.
The code for my CLI is public. I can go down the Client Credentials route if I register a new application for each user via the API. However, is this approach scalable? What if the application I am building has ten of thousands of users? Is this the canonical way to go about this?
If I go down the Auth Code flow, I am confused about the " Authorize the User" section where I would need to send the user to https://YOUR_DOMAIN/authorize?.... Should I open an actual browser for this from my CLI? I expect that my CLI would be used in servers, etc where there may not be a screen to open a browser, etc.
I am not clear on your use case, however, with that said, it sounds to me like you should use either implicit or Auth Code +PKCE.
If this is an application that runs completely unattended, then client credentials is likely the way to go.
But if it is a CLI run by a end user, instead one of the other flows is recommended. Basically, the CLI pops open a browser to do a redirect flow, and then once the access token is received, continues.