Hi @evert,
If you are representing users then you aren’t using a Machine to Machine flow. M2M in the context of Auth0 is a different way of saying Client Credentials, more or less.
If you need to get user access tokens for testing, you are still representing a user, albeit test users. As for the risks; yes, there are risks associated with the Resource Owner Password Grant (ROPG).
In order to use the ROPG:
- Your application must handle user passwords. This leaves the possibility of mishandling plaintext passwords (logging, improper storage, etc.).
- You are opening an endpoint to accept username/password pairs directly. This broadens the attack surface of your implementation.
These are just a couple of examples of how this flow presents additional risk to your application. There may be other risks I have not touched on.
Realm support is an extension grant that allows different directories and specifications of those directories. You can find an example here.