I don’t think using M2M is a good approach since that’s not meant for user-based flows. Rather, M2M (specifically OAuth 2.0 Client Credential Grant) is intended for machine-based flows where the resulting Access Token represents the app itself instead of the end user. I think the motivation of using M2M is to attempt to treat Auth0 as an STS and exchange a token from one issuer (Google’s ID Token) for one of another (your Auth0 tenant).
Consider this approach instead:
- Perform the Google one tap flow, which results in obtaining an ID Token from Google in the browser
- Decode the ID Token and extract the user’s email address. You can optionally validate the ID Token’s signature, but I think this isn’t necessary with the upcoming steps
- Use Auth0.js’s authorize() method to perform an authentication flow with Auth0, passing a
connectionparameter with a value ofgoogle-oauth2and alogin_hintwith a value of the email address you collected in step 2 - Auth0 will perform a login flow directly against your Google social connection, passing the same email, which will avoid any sort of user picker prompt (in case you’re signed in with more than one account). And since you already have a session with Google, you will automatically SSO through.
Of course, you do need to ensure you have a Google connection set up in your Auth0 tenant first.