We have the following use case: we have multiple embedded devices that intermittently connect to our API. To authenticate itself, a device connects to a machine-to-machine Auth0 application to get a JWT, then uses this token to access our API. The devices have a small tamper-proof memory that can store the client_id and client_secret value that the M2M application expects. The devices are unsupervised, there is no user interface on them and have to operate without a human being present.
As far as I understand the documentation of the client credentials flow, it assumes either there is only one backend instance, or they are indistinguishable/interchangeable if there are more. On the other hand, we would like to know the identity of the device that makes a request to our API, preferably via having each device use a different client_id (I’m open to suggestions of other ways to achieve this).
I created a M2M application for testing the device prototype, but it seems not possible to customize the client_id and client_secret values or to have multiple of them, although https://auth0.com/blog/using-m2m-authorization/#Common-Use-Cases-for-M2M-Communications seems to suggest it is possible to give each device an unique client_id/client_secret pair. I would like to avoid having to create a separate M2M application for each device. I saw that it is possible to use Rules to insert additional claims into the JWT.
Is it possible to use the client grant flow in this case? How can I set up the M2M application to allow multiple client_id/client_secret pairs? If that is not possible, how can I make each device report an identifier that I control and gets embedded into the JWT?
Thank you for your consideration.