Let Users generate restricted M2M API-Token?

I am looking into IAM.

I want to give Users the possibility to generate API-Tokens (technically it will be Client Credentials I assume) which gives them API-Access without ROPC. Ideally the long-therm token can be further restricted by the owner.

Is there a way to do this? Some therminology to search for?
How to generate tokens for API users? - Auth0 Community is basically the same request, but doesn’t contain meaningful responses (except from How to generate tokens for API users? - #7 by ruby but that seems to be too much of a workaround. I don’t assume that refresh-token are reliably valid for 1+ year).

Thanks in advance!

Hi @thomasmic,

Welcome to the Auth0 Community!

We don’t currently support an API key like functionality. If you wanted to give your users access to an API, you would need to issue them a client ID and client secret (you would register one application per user), and they should implement the client credentials flow to obtain access tokens in their applications.

Thanks @dan.woda!

I don’t quite get how their obtained access_token are linked to their user and how to automatically invalidate them once the user is disabled/deleted.

The best alternative would probably be to self-develop the IAM using passportjs or write a Keycloak-Addon? Or do you have another idea?

Best Regards!

It’s possible to implement using Auth0, but it is not a feature we have turn-key support for. You would have to build out the UI and functionality yourself, Auth0 would just act as the auth server for issuing tokens and managing the user DB. You would need to create a dashboard, store user information about which users have been issued which client credentials, etc.

Thanks for the reply - even though it is not what I hoped for!

Best Regards!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.