I have a single Auth0 application that will be assigned scopes when requesting an access token. The machines requesting this token will all use the same client id and secret from the application. The only difference is the Auth0 API audience - there will be a different Auth0 API for each machine requesting the token. Is this the proper way to assign scopes on the access token?
Or, should each machine use a different Auth0 application (with different client ids and secrets) and be granted an access token using a single Auth0 API (audience)? Is one more secure than the other?
I need a different type of info to help with this. You are providing the implementation details. But I need the overall use case. What does a machine represent? Is there a user involved? What happens if one machine tries to impersonate another?
A machine, in this case, represents a customer using their API to request an access token to hit our endpoint. There are multiple customers that would need a token with different scopes. There are no users that would login.
What happens if one machine tries to impersonate another?
Not exactly sure what you mean, but I think this is what I am asking. If each customer have the same client id and client secret, and only a unique audience when requesting a token, would it be easier for impersonation?