Best practices for client metadata in M2M authorization

Hi everyone.

I’m new to Auth0 and wanted to know what the best practices or common patterns are when defining metadata on a client application (M2M) that will be used to authorize what resources that client has access to.

For example, Client1 has read access to datasets 1 and 2. When that client makes a GET request to /datasets, I only want to return datasets 1 and 2.

From what I can gather, you would define a “datasets” attribute under the “Application Metadata” section so it shows up within the “client_metadata” key. However, client_metadata is limited to 10 keys. What would be the approach if I needed more than 10 keys?

Thanks in advance

Hi @tromanowski, you can use OAuth 2.0 scopes to meet this kind of access control requirement. Continuing with your example, authorize Client1 to have scopes read:dataset1 and read:dataset2. This way, when this client receives an access_token it will have only those permissions. The datasets API can validate these permissions in the access_token and then grant or deny access accordingly.

1 Like