We have two applications in our tenant - one of which is a “Profile management” application that holds some user data among other pieces, the other is an actual service we run. Both applications can be logged into by the user.
What would be the correct process for the second application in our Auth0 tenant to authenticate to the profile application’s API in the user’s context in order to access their information?
Should we be authenticating the two applications using the M2M flow, or is there a better more user centric way? I’d rather limit the access of user data to the requesting user, rather than it be all or nothing and the decision being made within the Profile application.