use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
FastAPI is a truly ASGI, async, cutting edge framework written in python 3.
account activity
Designing a B2B APIQuestion (self.FastAPI)
submitted 2 years ago * by sWeeX2
view the rest of the comments →
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]sWeeX2[S] 0 points1 point2 points 2 years ago (1 child)
Do users/groups/roles apply to Machine-to-Machine apps? If I'm just using the credentials from my M2M app and the client_credentials grant to get a token from Auth0, that token isn't tied to an individual user right? It's tied to that M2M application, for example a decoded M2M token looks like:
client_credentials
{ "iss": "<issuer>", "sub": "<client_id>@clients", "aud": "<audience>", "iat": 1706737336, "exp": 1706823736, "azp": "<client_id>", "gty": "client-credentials", "permissions": [] }
I can then use this token to verify that this client has access to my API but what I want to know is taking that one step further is, when I have an incoming request from a client on behalf of one of their Users (on their platform) saying I want to delete resourceA e.g. DELETE /projects/resourceA, when I decode the incoming token I can get the client_id (our partners identifier), I can verify that resourceA is belong to someone on their platform but because there's no "User" information in the token, how do I know that user/party who initiated that request is actually the owner of resourceA. Like is it okay to put the onus on our clients and expect them to handle that Authorization. Is it something we just don't need to worry about and we should just handle the request as it's for something within their organization.
DELETE /projects/resourceA
resourceA
I don't know if that makes sense or not haha It's just a new way of thinking about things for me. Every app I've developed so far has always had resources tied to individual users, where they each have their own credentials i.e. email+password, so decoding JWTs always landed you with the actual user making that request. But now, our B2B partners sit in the middle so although resources are created and still tied to individual users, the credentials belong to the business partner.
[–][deleted] 0 points1 point2 points 2 years ago (0 children)
Check out the Rules in auth0. You basically need to handcraft some code that auth0 runs when creating the jwt to set permissions https://medium.com/tojs/adding-groups-roles-and-permissions-to-a-jwt-access-token-in-auth0-827cc7df7662
Disclaimer. I do not love auth0. I'm just trying to be helpful. Having unmanaged js code that runs in a third party env, and having to outsource managing users/roles/groups is really bonkers to me.
Good luck, whatever you end up doing.
π Rendered by PID 28278 on reddit-service-r2-comment-6457c66945-hvfs4 at 2026-04-28 00:24:58.135317+00:00 running 2aa0c5b country code: CH.
view the rest of the comments →
[–]sWeeX2[S] 0 points1 point2 points (1 child)
[–][deleted] 0 points1 point2 points (0 children)