Multiple oauth clients for the same api

Question

I'm trying to accomplish the following scenario.

I have and API at the moment and one web app. I have also create a new oauth client on my auth server (keycloak), which follows the implicit grant. I also used jwks on my nodejs api to do the token verification.

Now I want to create an SDK that will target the same API.

The questions is how do I get the SDK to retrieve an access token from the auth server. The first thought is that I will have to create a new client oauth client on the authserver and then use the client credential flow to get the access token. However, I dont know what should the behaviour of my API be like. At the moment it used jwks against a single audience. How should it be configured to verify access tokens from multiple clients (potentially thousand of them)

Answer 1

If you want multiple clients to call your API they should all use the same audience, and your first level of security will work.

The audience in access tokens represents the API(s) the token can be used against.

You will then need to use something else to authorize API requests, depending on the type of client and what they are allowed to do.

Configure each type of client in your auth server so that you are in control and know who is calling the API.

You may have 1000 clients but only 4 levels of privilege - in which case only configuring 4 OAuth clients may make sense.

One OAuth option you can use is give different clients different scopes. Scopes can represent high level privileges.

If a particular client calls an addOrder operation but does not have an Orders scope you could return a 403 response.

Often though API authorization needs to go beyond OAuth checks and apply custom rules based on the end user privileges.

If you can provide more info on your scenario I could provide a more complete answer.