SOLVED Does anyone have recommendations on how services should authenticate to apps that use FA?



  • I've got an app providing an HTTP API. Users (i.e. people) authenticate to it using normal FA flows (e.g. OAuth login using authorization code grant with JWTs and refresh tokens).

    Now I want to have internal (and eventually partner) services access the API to perform certain bulk operations. They will have access to do things across various/multiple users, such as importing data or even new users, so they aren't authenticating on behalf of a given user/person. What kind of authn credentials should these services have?



  • This seems like a case for the client credentials grant, which is unfortunately still on the roadmap: https://github.com/FusionAuth/fusionauth-issues/issues/155 Not sure that would help with the rotation, though. Just like username and password approach, I don't believe the credentials grant lets you rotate creds in.

    Other options: you could look into a third party api management solution (as mentioned here).

    Could you use longer lived JWTs but then a webhook to revoke them, as outlined here: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts ?

    You can control the duration on an application by application basis (so all JWTs issued by one application have to have the same length). You could create a 'services' application that only these services would have registrations with, not sure if that would work.