FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Does anyone have recommendations on how services should authenticate to apps that use FA?

    Scheduled Pinned Locked Moved Solved
    Q&A
    api authorization oauth
    1
    2
    8.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • danD
      dan
      last edited by

      I've got an app providing an HTTP API. Users (i.e. people) authenticate to it using normal FA flows (e.g. OAuth login using authorization code grant with JWTs and refresh tokens).

      Now I want to have internal (and eventually partner) services access the API to perform certain bulk operations. They will have access to do things across various/multiple users, such as importing data or even new users, so they aren't authenticating on behalf of a given user/person. What kind of authn credentials should these services have?

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        This seems like a case for the client credentials grant, which is unfortunately still on the roadmap: https://github.com/FusionAuth/fusionauth-issues/issues/155 Not sure that would help with the rotation, though. Just like username and password approach, I don't believe the credentials grant lets you rotate creds in.

        Other options: you could look into a third party api management solution (as mentioned here).

        Could you use longer lived JWTs but then a webhook to revoke them, as outlined here: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts ?

        You can control the duration on an application by application basis (so all JWTs issued by one application have to have the same length). You could create a 'services' application that only these services would have registrations with, not sure if that would work.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post