This is a request to support organization-scoped permissions for M2M clients. For example, instead of granting the API permission read:documents across all organizations, I would like to grant read:documents only within the scope of one or more specific organizations. Auth0 supports this for users but not for M2M clients.
Our use case is a service that implements custom API integrations per customer. Our customers (modeled as organizations in Auth0) each have their own M2M client credentials which they use to fetch data from our service. We need to restrict each organization to reading its own data.
My best idea for a workaround is to create a dummy user for each M2M client, and store that user’s id in the M2M client metadata. When evaluating API permissions, we would make a Management API call to fetch the user’s organization membership and use that information to authorize the request. I expect this will work, but it’s a lot of extra bookkeeping versus assigning organization permissions to the M2M client directly.