OIDC-Conformant Adoption: APIs
With the OIDC-conformant pipeline, Applications and APIs (resources) should be defined as separate Auth0 entities. Benefits include:
Simpler API integration. APIs are no longer tied to applications that call them.
Machine-to-machine (M2M) integration scenarios. Applications can authenticate as themselves (instead of acting on behalf of a user) to programmatically and securely get an Access Token.
Some suggested OIDC-conformant solutions for different scenarios include:
You have multiple applications calling an API under a single client ID. In this case, represent each application with a single Auth0 application, each of which can interact with the API on which the applications depend.
You use delegation to exchange tokens obtained by one application for tokens for a different application. In this case, use a multi-application solution, with each application authenticating to the same resource server.
Your applications do not depend on external APIs; you just need to authenticate users. In this case, you do not need to define an API as long as ID Tokens are:
processed only by the application
not sent to any external services