Differentiate Access Token between a User and Application (Client)

Hi there,

Which properties (claims) should one use to differentiate between an access token issued for a User and one for an Application (Client, Machine-to-Machine)?

I’ve been inspecting the access tokens issued for a User and Application, and one of the differences I could think of for doing this is inspecting the “sub” claim, since the one issued for a User always starts with “auth0|…”, while the one issued for an Application (Machine to Machine) ends with “…@clients”. However, I’m not sure if this is a safe option, and if there are perhaps better ways of doing this.

Also, I’ve setup a Rule which adds the user_metadata and app_metadata claims to the access token, when an authenticated User (through an Angular app) accesses my API. I’ve also configured a Hook for the client credentials grant type which adds the client_metadata claim to the access token (used for Machine-to-Machine). I could perhaps also use this to detect the origin, but again, not sure if this is the right way of doing so.

Hopefully someone could point me in the right direction.
Btw, I’m using an ASP.NET Core 3.1 Web API which is protected by Auth0.

2 Likes

IMO Differentiating based on sub might work. I would also put an additional scope to tokens generated via client credentials grant to indicate so. Again this is just my opinion and don’t take it as a best practice. Others here might have better recommendations.

Thanks Ashish for your response. I decided to validate the metadata claims and check if the property the API requires is present and valid in the metadata objects. Otherwise, access is denied.

If anyone is interested in the logic for the rules and hooks, and perhaps even the authorization filter in ASP.NET, let me know.

@ashish I realize this is old, but can you elaborate on adding additional scopes? E.g. links to how this might be done.

And also why using the sub field “might” work, and why it might not?