Using Auth0 to issue API keys for teams with team based rate limits?

Hello,

I’m responsible to develop a central authentication and authorization service for multiple applications and APIs. However, it seems that those use cases for authorisation are rather complex when using Auth0.

The most complex case seems this: We want to allow users to organise themselves in teams and request API keys to access one of our APIs on behalf of that team. Users can belong to multiple teams and the teams will have different permissions and rate limits for different APIs.

After reading through Auth0 docs, this seems to be one way to solve that. But I’d like to have some input to open questions and whether this concept makes sense at all:

  1. User Tom registers on a MyAccount web application using Auth0.
  2. MyAccount requests an API key for the central authorisation API auth.myorg.com (hosted by us) using the Authorization Code Flow (with PCKE if MyAccount is a SPA)
  3. Tom sends a create_team request to auth.myorg.com to create the team some_team
  4. The authorisation API uses Auth0’s Management API to
    a) Create a new resource server (API) on Auth0 (for example using the identifier auth.myorg.com/teams/some_team)
    b) Add the team and the users role to the users app_metadata field (for example { "teams": [ {"name": "some_team", role: "admin"} ]}
  5. Tom now switches to the team page on the MyAccount web app which then requests an access token for auth.myorg.com/teams/some_team (using the Authorization Code Flow again)
  6. An Auth0 rule now checks on that authorisation request that Tom belongs to some_team (otherwise returns unauthorised) and adds the role admin to the token.
  7. Tom now can access the teams page and is able to add/remove other users via auth.myorg.com endpoint (Question: How can auth.myorg.com query Auth0 for all users belonging to team some_team?)
  8. We now want to allow some_team access to ourapi.myorg.com with custom rate limits, so
    a) One of our admins sends a set_permissions request to auth.myorg.com to allow some_team to access ourapi.myorg.com with a limit of 1000 requests per second.
    b) The auth.myorg.com API either stores this internally in a database or uses the Management API to write this to Auth0 (Question: Where would we store such team based parameters in Auth0?)
    c) auth.myorg.com also uses the Management API to create a new resource server (API) ourapi.myorg.com/teams/some_team
  9. Tom now wants to create an API key to access ourapi.myorg.com on behalf of some_team, so:
    a) The MyAccount applications requests a refresh_token for ourapi.myorg.com/teams/some_team via auth.myorg.com using the Authorization Code Flow
    b) An Auth0 rule now checks that Tom belongs to some_team (otherwise returns unauthorised) and adds the custom rate limit to the access token.
    c) The refresh token is displayed to Tom, which he can now use to get short lived access tokens. He does this by proxying the request through auth.myorg.com which uses its client id and secret to be able to refresh access tokens.
    d) Tom uses those access tokens to request data from ourapi.myorg.com, while ourapi is applying the teams rate limits.

This seems rather complicated though and I’m not sure if it’s not easier to just issue our own JWTs for API access and have API permissions stored in our own database (and use Auth0 only to handle access tokens for auth.myorg.com). But maybe I’m also getting this wrong and there is an easier way to solve this use case?