Which grant type for many IoT devices?

For an IoT application, I want to connect a large number of devices to a cloud API. The devices are autonomous and should be authenticated in order to prevent API misuse. I do not want to trust the integrity of these devices: they are in the hands of end-users and can be reverse engineered to find whatever secrets they hold.

Looking at all documentation, I have managed to implement this with an OIDC-compliant non-interactive client with password authentication. A username and password is created in Auth0 for each IoT device when it is installed, and it uses this username/password to authenticate with the non-interactive client. The devices also have the client ID/secret. If a device is compromised, I can block the user and thereby prevent it from accessing the cloud again. Even though they have the client secret, they cannot do anything with it.

While this works, it seems to me that user/password authentication was not intended for this purpose. But due to the number of devices, it seems impractical to make a new client in Auth0 every time a device is issued. What is the appropriate authentication mechanism to use here?

As it has been more than a few months since this topic was opened, and there has been no reply or further information provided as to the existence of the issue, we are closing this topic. Please don’t hesitate to create a new topic if this issue is still present, we would be happy to work with you to help find a resolution.