I have an Auth0 Application that’s configured as Machine to Machine. We currently use this application generate machine tokens for querying from the server.
I’m now trying to add on client side SPA style authentication / PKCE to this same service. Is this possible using the existing Machine to Machine application? Or do I need to create a new application?
I’m debugging this flow. The POST to /authorize is working, and it’s redirecting to my app with a code and state. However I’m currently getting a “401 unauthorized” from the /oauth/token POST and trying to debug why, and I’m wondering if it’s because this application is Machine to Machine?
I don’t have a definitive answer as to whether this is technically possible, but I do feel like these should be 2 different apps in Auth0. I assume the client-side bit will involve a user?
I added a couple additional tags to your post in hopes that this helps others discover it.
After further investigation, I don’t think this is possible, at least not in my case. The M2M app has “Token Endpoint Authentication Method” set to “POST” which requires a client secret to get a token back. My client side code doesn’t have the secret, and if I set the auth method to “None” it’s weird because then what does the M2M app do with the secret?