Supporting both Client Credentials and User-based flows in API

I am aiming to design an API that supports actions originating from both users and from clients. As an example, a user being assigned to a task.

  • A user access token (user identified by the ‘sub’ claim) may assign a task to themselves.
  • A machine (user identified in some other way, header? request field?) may assign a task to a user.

I would like to ask what a common approach to a problem like this. I see two potential options:

  • Have a second API that the user access token may be used for. Have this then call the API using a M2M token with the user context.
  • Conditional logic to validate permissions based on the grant type, and act accordingly.

There may be another, better option that I haven’t considered.

Cheers.

Hey, @Chris-SG! Welcome to the Auth0 Community.

I think that you’re moving forward here, but there’s a detail to understand: M2M tokens are used for when a machine is intending to act on behalf of itself. Yes, it can, within the resource server, do anything that it’s authorized for.

In this event, you don’t even need conditional logic, as each token would have its own scopes. This means that you can only authorize the M2M application to have certain scopes, and not to have others, and you should act based on the scopes that the provided token has.

You can read more about scopes here: https://auth0.com/docs/scopes