Adding role to client-credential grant

Hi Everyone,

I have an Express server and an Azure function app (can be treated as a separate server) running and I need for the Azure app to be able to authenticate any API requests it makes to the express server. I’ve set this up with an API that has an authorized Machine to Machine application setup on the Auth0 and I generate a token for my Azure app using the client-credentials grant (using the Client ID + secret). This is working at this point in time.
I also have user’s who are able to login to the site served by the Express server. They use the Auth0Lock library to authenticate against the same API as the one used for the client-credential grant. This is also working.

I now have an additional requirement to restrict access to certain APIs on my Express server to certain user roles/groups. To do this, I created a new rule which adds a custom claim to the access_token with a role from that user’s app_metadata based on what I found in Access Tokens

This rule doesn’t work on the client-credential grant but following Customize Tokens Using Hooks with Client Credentials Flow I created a hook for my client credentials which can add a role here.

The problem I have with this is that this hook appears to add the role to every client-credential grant, not just the ones from the client I want. I am considering adding a the client ID of the application I want as a secret and comparing it against given by client.id argument.

My questions are as follows:
1.) Is the above idea secure? Would comparing any of client.tenant, audience, context.body.client_secret
be required and/or sufficient?
2.) More generally, is this the proper way to go about authentication/authorizing users? I’m new to using Auth0 and security in general but we’re prepared to remove the current system and rebuild if there is a better way to go about this.

1 Like

Going to bump this thread to see if it can get some more attention.
Please let me know if there is a better place to ask this question.

Hey there!

Terribly sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes our bandwidth is just not enough for all the questions that are coming in. Sorry for the inconvenience!

Do you still require further assistance from us?

Hey Konrad,

I would still appreciate an answer to the original question. While we haven’t had any issues thus far, if the above solution presents a security risk it will need to be changed.

Hey there!

Sorry for the delay in response but I got a little bit trapped in all the questions that were coming in to community forum and sometimes its number is too much for a three people team handling that.

I discussed it with the team and unfortunately these kind of scenarios are too complex to be covered in the community and what I’ve been advised about was to direct you towards our professional services here:

Thank you and sorry for any inconvenience!