I have set up a Single Page Client with implicit grant type, where I successfully have been able to add custom claims to the access token using Rules. In order to keep manageability and consistency I use the Management API with scripts, which I version control.
However, now I have a need for implementing some Non Interactive Clients as well, using the Client Credentials grant type. And these access tokens need (some of) the same custom claims as the ones already implemented.
Through testing, reading docs and the forums, this is my current understanding.
It is not possible to alter the access token of a Non-Interactive client with Client Credentials grant using Rules. The only way to do this is using Hooks. Correct?
And to follow-up, it seems that it’s not possible to alter the access token of a SPA client with Implicit grant type using Hooks, only Rules (unless a new User entry is created, which doesn’t fit my use case). Correct?
Hooks are not supported in the management API, only in the Auth0 Web CLI. Correct?
Thus, my conclusion is that in order to accomplish what I want I have to implement the same logic twice, using both hooks and rules. And doing so using two different management constructions (the API for rules and the CLI for hooks).
Am I correct, or is it something I have overlooked?