Hi there,
Which properties (claims) should one use to differentiate between an access token issued for a User and one for an Application (Client, Machine-to-Machine)?
I’ve been inspecting the access tokens issued for a User and Application, and one of the differences I could think of for doing this is inspecting the “sub” claim, since the one issued for a User always starts with “auth0|…”, while the one issued for an Application (Machine to Machine) ends with “…@clients”. However, I’m not sure if this is a safe option, and if there are perhaps better ways of doing this.
Also, I’ve setup a Rule which adds the user_metadata and app_metadata claims to the access token, when an authenticated User (through an Angular app) accesses my API. I’ve also configured a Hook for the client credentials grant type which adds the client_metadata claim to the access token (used for Machine-to-Machine). I could perhaps also use this to detect the origin, but again, not sure if this is the right way of doing so.
Hopefully someone could point me in the right direction.
Btw, I’m using an ASP.NET Core 3.1 Web API which is protected by Auth0.