Client id for web app AND for machine to machine. Is this allowed ->

I have a client id for my server(and would prefer to just have 1) but he is doing a web app flow and also needs machine to machine access to management api.

In the GUI, I can modify ‘Application Type’ from ‘Regular Web Application’ to ‘Machine to Machine’. I then enable the management api and go back to ‘Regular Web Application’ and I see google oauth is still installed.

In this way, can my app be both ‘machine to machine’ with access to mgmt api AND also be a regular web application with the oauth login with google??? This would be ideal.

I guess I will try it and find out but the GUI is very wonky implying it is one or the other which is frustrating as having 2 client ids and secrets for one server seems quite a bit odd to me.

Well, it returns an accessToken from /oauth/token when grant_type is client_credentials" so it seems like this works and I can use 1 app id. It is quite wonky and should be tabbed settings perhaps

OR NOT → on the next step, I get invalid token → {“statusCode”:401,“error”:“Unauthorized”,“message”:“Invalid token”,“attributes”:{“error”:“Invalid token”}}

very odd considering it gave me an accessToken when trying to call the management api and I use this endpoint before successfully (perhaps I have some odd bug still)

seriously weird. my http client logs curl requests(soo nice), so →

curl -k --request POST -H “user-agent:Webpieces Generated API Client” -H “accept:application/json” -H “content-type:application/json” -H “c
ontent-length:226” -H “HOST:xxxx-dev.us.auth0.com” --data ‘{“audience”:“https://xxxx-dev.us.auth0.com/api/v2/“,“grant_type”:“client_credentials”,”
client_id”:“yyyy”,“client_secret”:“zzzz”}’ “https://xxxx-dev.us.auth
0.com:443/oauth/token

then taking the access token nnnnn and filling in, I had sent this curl which fails →

curl -k --request GET -H “user-agent:Webpieces Generated API Client” -H “accept:application/json” -H “content-type:application/json” -H “Authorization: Bearer nnnnn” -H “HOST:xxxx-dev.us.auth0.com” --data ‘’ “https://xxxx-dev.us.auth0.com:443/api/v2/users-by-email

How is it I get a valid access token and then get denied? hmmmm, perhaps another issue I need to find. scopes or something maybe…thinking. (though this article had nothing on scopes → Using Machine to Machine (M2M) Authorization )

back and forth we go. now that we add scopes, we get this error →

{“error”:“access_denied”,“error_description”:“Client has not been granted scopes: openid, profile, email, phone”}

odd. I enabled access for that api. I wonder why this is. perhaps I do have to have two client ids which would really suck.

FINALLY fixed: have to piece many documentation together but basically have to go into the app, change app temporarily to machine to machine type (confusing) and then check the boxes of read:users and scopes you want and then add those scopes in the api call and all is working now. it was a matter of piecing many docs together to get the full picture.

1 Like

Hey there @dean2 !

Glad to hear you were able to piece this together - While it’s typically recommended to have 2 separate “apps” in this scenario (regular web app + m2m) it is technically possible to use 1 set of credentials as you’ve noticed. As long as these credentials are managed securely server side, you should be fine. You will of course need to mind the different scopes required by each interaction, which can potentially become complex and perhaps a reason to separate the two.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.