Hi all!
I have one native application and an api. What I have configured is to authenticate user through the native application and using a login/post login action (which calls to get access token from the M2M application for the api), get the access token for the api.
What I am trying to accomplish is that, to set up an action for the M2M application to set a custom claim for users’ uuid that were added to app metadata/ user meta data in the previous login/post login actions. However, I found there is no access to user in the M2M action’s event object. How can I accomplish this?
Hi @subee.admin
Thanks for getting in touch with us here at Auth0 Community!
The M2M Action is based on the Client Credentials flow where a client id and client secret is used to authenticate the M2M application (typical for services running on the backend) and as a result there is no user authentication involved so the user property of the event object is out of scope, please see https://auth0.com/docs/authorization/flows/client-credentials-flow
If you have a Native app I expect you will be using something like Authorization Code Flow with Proof Key for Code Exchange (PKCE) https://auth0.com/docs/authorization/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce when you authorise with this flow you will receive an ID Token and Access Token, you can use the Access Token received here for access to your API and maybe add your custom claims to the Token at this point https://auth0.com/docs/security/tokens/access-tokens
I’m not sure what SDK you’re using but I would review the documentation to check how to do this https://auth0.com/docs/libraries e.g. if you were using React Native you might do the following to get an ID Token and an Access Token.
auth0
.webAuth
.authorize({scope: 'openid profile email'})
.then(credentials =>
// Successfully authenticated
// Store the accessToken
this.setState({ accessToken: credentials.accessToken })
)
.catch(error => console.log(error));
Unless your use case is different, if so, please let us know what your use case is and how the M2M application fits into the picture.
Many thanks.
1 Like
Thanks for the quick and detailed reply! I don’t know how I missed the notification.
when you authorise with this flow you will receive an ID Token and Access Token, you can use the Access Token received here for access to your API
Actually, I have already tried to use the access token from the native application to authorize the API but I got no success in that. The API would not accept the token (401 unauthorized error).
The application is built with Flutter and I have referenced this and this. I got the authentication working in the app (was able to login with google) but the access token somehow had invalid signature (checked on jwt.io).
It’s confusing because if any credentials or configuration was misconfigured I would not be able to login in the first place. Could you please give me an idea how to approach this?
Hi @subee.admin
The guides appear to use opaque access tokens which are not in JWT format (I wouldn’t have thought these were readable on jwt.io) unless you have a custom API defined in your Auth0 dashboard with an identifier that you’re using as an audience value in your app, this will produce a token in JWT format (see https://auth0.com/docs/security/tokens/access-tokens). If so, I would just ensure the identifier of this custom API and your audience value match exactly. If you were using the {YOUR_AUTH0_DOMAIN}/userinfo as the audience value then your access token will be an opaque string.
For more information about creating and configuring an API in Auth0, see: https://auth0.com/docs/apis
Otherwise, did you notice if there was anything off on jwt.io? access token expired perhaps?
I would also check the OIDC Conformant switch, located in the client’s advanced settings. See this for more info: https://auth0.com/docs/api-auth/tutorials/adoption/oidc-conformant
Regards
Saqib.
2 Likes
OMG! I never thought it would generate opaque access token… Adding audience as an additional parameter was the key.
Thank you so much for your kind explanation!
No worries! We’re here for you!