we want to architect auth0 such that, whenever user signs up on our developer portal they should have their own client_secret and client_id. I know, this can be achieved by creating one application per user.
Say I have 10 users, I will have 10 applications of type machine-to-machine, one per user. all of these will be authorized with a common audience.
I can do it this far. Now user x has access to its client_id and client_secret and can issue an access token whenever they want.
I issued an access token for one sample user but the permission it lists is client_grant. what I want is I should be able to add more permissions on this token like read:messages, delete:messages.
Can this be done on the application level? because this token is granted through client credential flow as follows:
curl --request POST \ --url 'https://<DOMAIN>.us.auth0.com/oauth/token' \ --header 'content-type: application/x-www-form-urlencoded' \ --data grant_type=client_credentials \ --data 'client_id=<id>' \ --data client_secret=<secret> \ --data audience=<audience>
this tells me the token is not tied to a user so adding permissions on the user won’t help, right?
What approach I can take here? PS: my understanding of auth0 and oauth2.0, in general, is pretty weak.