How to distinguish multiple device instances using one machine-to-machine application?

maybeicanusethisnam3 · January 31, 2022, 8:56pm

We have the following use case: we have multiple embedded devices that intermittently connect to our API. To authenticate itself, a device connects to a machine-to-machine Auth0 application to get a JWT, then uses this token to access our API. The devices have a small tamper-proof memory that can store the client_id and client_secret value that the M2M application expects. The devices are unsupervised, there is no user interface on them and have to operate without a human being present.

As far as I understand the documentation of the client credentials flow, it assumes either there is only one backend instance, or they are indistinguishable/interchangeable if there are more. On the other hand, we would like to know the identity of the device that makes a request to our API, preferably via having each device use a different client_id (I’m open to suggestions of other ways to achieve this).

I created a M2M application for testing the device prototype, but it seems not possible to customize the client_id and client_secret values or to have multiple of them, although https://auth0.com/blog/using-m2m-authorization/#Common-Use-Cases-for-M2M-Communications seems to suggest it is possible to give each device an unique client_id/client_secret pair. I would like to avoid having to create a separate M2M application for each device. I saw that it is possible to use Rules to insert additional claims into the JWT.

Is it possible to use the client grant flow in this case? How can I set up the M2M application to allow multiple client_id/client_secret pairs? If that is not possible, how can I make each device report an identifier that I control and gets embedded into the JWT?

Thank you for your consideration.

john.gateley · February 1, 2022, 2:16pm

Hi @maybeicanusethisnam3

I think the multiple M2M application is the best approach. You don’t create them manually, you would have a script/dashboard that interacts with the management API to create them, pull the new client ID/secret out and deliver that to the secure memory.

How many devices? How often do they get M2M tokens? Make sure your Auth0 contract supports this amount.

John

maybeicanusethisnam3 · February 2, 2022, 12:03am

@john.gateley

Thank you for your reply. As I understand your reply, one M2M application per device is the best approach. I was not aware of a scriptable management interface, but if instantiating a new M2M application and pulling out the client_id/client_secret key out is not a big burden on Auth0, then this is the easiest way to go towards our goals.

To answer you question about how many devices, we have <10 right now (due to chip shortages &c.), but it should scale to >10k or above once we exit the startup company phase. How often they get M2M tokens depends on how long the tokens are valid. The software I’m writing does take into account the expiry timestamp of the tokens so the device will defer refreshing the token until it determines that the token won’t be valid by the next time it needs to access the API. I will contact the person responsible for the Auth0 contract to iron out the details for this.

I sincerely thank you for your time considering my question.