We have our Backend API that is protected by JWT access token issues by Auth0.
We have an SPA that allows users to get access tokens by Auth0 with Google identity provider.
We would like to allow our users to be able to get access tokens for M2M communication in behalf of them. i.e. it’s like Client Credentials Flow but with the user’s context.
Is there any way we can achieve this?
To make an access (bearer) token distinguishable (containing some user specific data) you can try
to implement Actions script.
Specifically: the Machine to Machine Flow and the event.request.body method (to extract a custom “key”: “value” params sent to the POST https://domain.auth0.com/oauth/token endpoint. This custom param would contain user specific data.
Later, using the api.accessToken.setCustomClaim(name, value) within the same Action, you can add a custom claim to the access token containing this user-specific data sent within the request.