I am a little confused as to how we would use scopes present in an M2M token to deny or allow access, since all the scopes allowed for the app are always returned. Does this mean we have to create a new app for every different set of scopes we want to allow?
would you know how to do it with actions? In the documentation it says there is a function called api.accessToken.removescope(), but in the m2m flow, auth0 does not recognize it.
Is that the best way to do it? Seems like there should be a more automatic way of doing things, instead of manually creating a new app for every group of services and assigning them different scopes
Yes, it would be the best way to do it. Let me clarify: you won’t be able to use api.accessToken.removescope() as that’s intended for the authorization code flow, which involves user interaction.
In a client credentials flow (Machine-to-Machine), when the m2m app authorizes against the API, it gets all the permissions defined for that application.
By doing so, you can control the permissions by setting specific scopes for each m2m app.