I currently have a working implementation of retrieving an access token by using getTokenSilently, which is then used to authorize a user’s request when making API calls (behind the scene).
The issue I’ve encountered is that each time a token is retrieved it appears to use our allocated M2M usage. I was under the impression that M2M usage only applied to backend services but that simply isn’t true. I’d also like to note that it’s difficult to tell if the usage applies whenever a token is retrieved or on every single token retrieval. This is primarily due to the fact that the usage data lags behind actual usage so it’s impossible to get a good handle on your usage in realtime.
So what is the most optimal way to make getting a token efficient whilst cutting down on M2M usage within a SPA?
I have also shared the token expirations and was beginning to wonder if extending the browser expiration would be the only way to “optimize” usage.
SPA ID Token Expiration (Seconds): 36000
Token Expiration For Browser Flows (Seconds): 7200
Token Expiration (Seconds) : 86400
This sounds like a misconfiguration. The user access tokens shouldn’t count towards your M2M limit, and getTokenSilently should be caching tokens until they are expired or the page is refreshed or reopened. Do you have your SPA registered as an M2M application?
I double checked and we do not have our SPA registered as an M2M application.
I verified this under each of our APIs and Machine to Machine Applications.
I’m beginning to suspect our custom Rules, one, in particular one builds up the users permissions by calling managementClient.getUserPermissions. I’ve included the snippet below for clarity.
function (user, context, callback) {
var ManagementClient = require('auth0@2.17.0').ManagementClient;
var map = require('array-map');
var management = new ManagementClient({
domain: auth0.domain,
token: auth0.accessToken
});
var params = {
id: user.user_id,
include_totals: true,
page: 0,
per_page: 10
};
const namespace = 'https://test.com';
management.getUserPermissions(params, function (err, permissions) {
if (err) {
console.log('err: ', err);
callback(err);
} else {
var permissionsArr = map(permissions.permissions, function (permission) {
return permission.permission_name;
});
context.idToken[`${namespace}/claims`] = {
permissions: permissionsArr
};
}
callback(null, user, context);
});
}
Calls to Auth0 APIs shouldn’t count against your M2M quota. This includes the management API. So it must be something else. You should be able to narrow it down to any M2M application that uses a non-Auth0 audience.
It looks like you have a default audience configured. That could be causing this. Every application is requesting a token for your API, and that means every M2M token would be counted towards your quota. Does that make sense?