M2M Tokens with org_id

I just read the “Building B2B SaaS Products” post from @shreya.gupta and have a question / issue that has been bugging my team and me for over a year now:

I want to test my Organization-enabled (exclusive for organizations, no org_id → no access) API. This is impossible since:

" * Organizations-enabled applications are not compatible with the following grants and protocols: Resource Owner Password, Client Credentials, Device Authorization Flow, WS-Fed (Auth0 as IdP)." - Understand How Auth0 Organizations Work

I could solve the permission/role tests with M2M tokens, but M2M tokens do not have an org_id, which means access to the API is prohibited.

How do I solve this?

Hey there @PatrickHeneise!

Thinking out loud here - Have you considered just adding the org_id as a custom claim to the m2m token in an action? You won’t be able to use org_id as it’s restricted, but you could use something like test_org_id. This would require your API checking for the custom claim as opposed to org_id:

exports.onExecuteCredentialsExchange = async (event, api) => {
  if (event.client.client_id === 'YOUR_M2M_CLIENT_ID') {
    api.accessToken.setCustomClaim('test_org_id', 'YOUR_ORG_ID');
  }
};
1 Like

Thanks, but that would also mean special logic in my app to handle this case for testing, which is not ideal. I’d prefer to have a proper solution from auth0 for this.

No worries, happy to help where I can :slight_smile: Unfortunately, as M2M tokens don’t support an organization I can’t see that being an option for strictly testing, but feel free to create a Feedback request.

The only other option I can really think of for testing given the org_id requirement is creating a test user(s) of organizations - Auth0 unfortunately doesn’t offer any sort of user impersonation so this may be your best bet. The auth0-cli provides a test token command which could be useful in generating an access token for test users.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.