M2M Tokens with org_id

I just read the “Building B2B SaaS Products” post from @shreya.gupta and have a question / issue that has been bugging my team and me for over a year now:

I want to test my Organization-enabled (exclusive for organizations, no org_id → no access) API. This is impossible since:

" * Organizations-enabled applications are not compatible with the following grants and protocols: Resource Owner Password, Client Credentials, Device Authorization Flow, WS-Fed (Auth0 as IdP)." - Understand How Auth0 Organizations Work

I could solve the permission/role tests with M2M tokens, but M2M tokens do not have an org_id, which means access to the API is prohibited.

How do I solve this?

Hey there @PatrickHeneise!

Thinking out loud here - Have you considered just adding the org_id as a custom claim to the m2m token in an action? You won’t be able to use org_id as it’s restricted, but you could use something like test_org_id. This would require your API checking for the custom claim as opposed to org_id:

exports.onExecuteCredentialsExchange = async (event, api) => {
  if (event.client.client_id === 'YOUR_M2M_CLIENT_ID') {
    api.accessToken.setCustomClaim('test_org_id', 'YOUR_ORG_ID');
  }
};
1 Like

Thanks, but that would also mean special logic in my app to handle this case for testing, which is not ideal. I’d prefer to have a proper solution from auth0 for this.

No worries, happy to help where I can :slight_smile: Unfortunately, as M2M tokens don’t support an organization I can’t see that being an option for strictly testing, but feel free to create a Feedback request.

The only other option I can really think of for testing given the org_id requirement is creating a test user(s) of organizations - Auth0 unfortunately doesn’t offer any sort of user impersonation so this may be your best bet. The auth0-cli provides a test token command which could be useful in generating an access token for test users.