Auth0 Home Blog Docs

WebAuth, audience, multiple APIs and scopes

scopes
webauth
api

#1

frontend: React
backend: nodejs with express

I am using WebAuth to authenticate the user and make a call to external API in the name of this user. I am also implementing the backend so in theory I have full control.
What is confusing for me is that when I create WebAuth object I need to pass and audience and required scopes. It works correctly when I am using single API (this is where I apply the scopes on the Auth0 dashboard). I am just putting my API ID as audience field.
Question is: what to do if I would have more than one API? How to “mix” it into audience so that I will get merged scopes from all of the APIs?

Is it possible? I am affraid I do not understand those scopes properly enough…


#2

At this time, each request can only specify a single audience so the scopes would also be the ones associated with the specified audience. However, there are some ways where you can handle multiple API’s; which would also impact on how all the scopes would need to be passed.

1. Multiple endpoints as single Auth0 API

If you control all the endpoints/API’s in question and they kind of represent the same or related concepts and are only implemented as distinct endpoints/API’s due to non-functional requirements. For example, you gone the way of micro-services but they still reflect the same business requirements then you can consider representing all of them as single API in Auth0. This would allow for a single authorization request to give you an access token that could then be used at multiple endpoints.

For reference documentation on the above option see How to Represent Multiple APIs Using a Single Auth0 API.

2. Multiple Auth0 API’s with (silent) authorization requests

If you don’t control all the API’s that your client application may need to interact with or they are so distinct that mapping them under a single entity could be difficult then you can consider representing them as separate Auth0 API’s and then perform multiple authorization requests so that your client application received multiple access tokens.

Have in mind that multiple authorization request may not not imply that the user has to perform authentication multiple times. For example, if the first request triggers user authentication but is done in a way that an authenticated session is established at the identity provider (your Auth0 account) then subsequent request can leverage that session and not force the user to authenticate again. In some situations, in particular if none of the API’s in question requires explicit consent from the user then it may even be possible to perform the additional authorization requests without any sort of user interaction; see Silent Authentication.


#3