Hello
I still haven’t fully implemented Auth0 but I’m starting to do so, and this issue seems to be a blocker for me.
So we will use Auth0 with organizations, and for our web application it should work ok.
However, we will have many cron jobs running on behalf of this orgs, and we wanted to uniformize the access to our business logic that is contained in an API. Yet if we want to create a client_credentials token, then according to your documentation, it would not be possible.
So the question is, how can we handle that case then? I wouldn’t want to have a secondary authentication mechanism so our backend services can access the APIs.
And a secondary question, assuming I will be able to generate that cc token, can I add a custom “sub” claim to the token? I want to do a client_credentials token with a sub=“cronjob_123”, this way I can still use this sub in the auditing data (even if it’s a “artificial” user, it will help us to identify where the modification came from).
Why not? You shouldn’t have trouble getting an access token in whatever script is running in your cron job. Client credentials is most likely the way to go in this scenario. The cron job would be the client/application in this scenario.
The sub claim is meant to be the identifier of the resource server that is consuming the token. It sounds like this would be the API in your example, not the cron job.
Yes, after I sent this message, I was able to emit the client_credentials token. But it is because I had to create a second application marked as M2M, while our main application (UI) would use remain to use Universal Login.
So it is possible.
On the second one, ok, I agree. But to workaround that part, I am sending an additional parameter called my_param to the oauth/token endpoint, and within an Action for M2M, I add it as a custom claim to the token.