We’ve recently been investigating using organizations as a prerequisite for being granted an M2M token.
Currently, we manage this by creating separate applications for each of our intended M2M clients. This means that we can lock down our own internal applications and external client applications by only telling them about the client ID/secret that is relevant to them.
Ideally, we would love to replace this system with a single M2M application and restrict access by organization. It would save us a bit of infrastructure management and more closely mimic what we do with our web applications and their login flow. While reading the documentation, it seems that when requesting an M2M token through the client credentials flow, the caller must provide the organization they wish to assume.
While this is fine for our internal applications, we’re hesitant to implement this model for our external customers. For instance, if a customer (represented by a single organization) obtained the organization information for an unrelated customer, they would be able to spoof a request as that organization.
Is there an out of the box way to “harden” this M2M organization request? I.e. is there a more secure way of locking down a customer to only be able to request M2M tokens to their organization? I can think of a few ways through the credentials-exchange action flow but I’m wondering if the effort spent there is worth the benefit, or should we simply keep our current setup the way it is?