APIs and permissions from M2M vs regular applications

When creating a API in auth0, I have the option of allowing other M2M applications to authenticate to it via the “Machine to Machine applications” tab.
However, it looks that for regular “Application” type applications, all of these are allowed access by default.

I know that I can lock this down via permission scopes, but I feel like that’s overkill - a simple “yes/no” choice so that only “app A” is allowed to authenticate to “API a”, while “app B” is not allowed is all I need.

Is there some hidden Auth0 functionality I’m missing that lets me accomplish this?

Trond Hindenes

Hi @trondhindenes and thanks for reaching out!

If possible would you be able to supply me with a screenshot of what you mean here or supply a bit more detail?

Best Regards,

sorry for being unclear.

Lets say that I have two APIs, api-a, and api-b. If I navigate to the “Machine to Machine applications” tab on api-a, I can chose wether or not api-b has access to it.

However, I also have a vue.js app, represented by an auth0 application called “frontend-a”.

I’m looking for the simplest possible way to control which api’s “frontend-a” is allowed to call - it seems that if I don’t do anything it can grab a valid access token for both api-a and api-b and I don’t necessarily want to allow that.

Hopefully that makes it a bit clearer? I’d rather not post screenshots in public since they’re full of app names, client ids and other things we’re hesitant to share.

Hi @trondhindenes,

I think that makes some more sense thanks, the Machine To Machine Applications tab will show both M2M and Regular Web Applications which can be explicitly authorized to use an API. In that section, there’s a bit of text that I think hints at what you’re describing:

“Single Page and Native apps do not require further configuration. SPAs can execute the Implicit Grant to access APIs while Native Apps can do Authorize Code with PKCE for the same purpose.”

If you’d like to restrict access to an API based on a certain application, you could likely do so in a Rule. That link details returning an error if an audience parameter is detected however it could be updated to suit your needs. However, you could just leave the audience parameter out of your call to begin the login flow (’/authorize’) so Auth0 wouldn’t return an Access Token that could be used for your API.

Best Regards,

That’s not what I’m seeing. I’m only seeing M2M applications (APIs), not regular web applications (what Auth0 calls an “application”).

I guess I’m finding it strange that for between M2M apps (APIs) the default is “no access” while between Web Applications and M2M apps (APIs) it seems that I have to use rules to “lock them down” as the default is seemingly wide open - In any web application I can use the client id and the configured audience of the desired M2M app (API) to get access without any explicitly configuring that.

From your reply it seems like I should be seeing both web apps and M2M apps in the “Machine to Machine applications” tab and thus be able to control access from there, but I don’t - I only see other M2M (api) apps.

1 Like

did you find an answer to the question?
While configuring Auth0, I also ended up having the same question which seems to be very strange.

I think I kinda get the answer.
So I think the audience check will have to be done on the service/API side as part of token validation.