User context with m2m application

Hi all,

I’ll start with our final goal : we want to have user context when calling our API using the machine2machine method (we don’t have a web app) + having the ability to configure scopes and permissions for USERS.

So far we did the following:

  1. Created a web application and defined a login flow for users and obtained token for the user.
  2. We configured manually permissions and roles for the user-application-api accordingly
  3. However, the token obtained in (1) doesn’t have “scopes” field in it whatsoever, hence we are unable to access the api which is protected by “hasAuthority” of the requires permissions.

We followed spring mvc exmaples.
Please let me know if any more information regarding our issue is required.

Thank you!

1 Like

Hi @liron.kreiss Welcome to Auth0 community.


These two contradict each other, don’t they? Can you give us some idea about your use case first without using the implementation details? For eg. is it a single page app? do you have a backend api? do the user login to the application and then retrieve data by calling the api? etc.

additionally can you pint to the specific spring mvc sample that you based your implementation on? is it this one or this one

Hi @ashish, thanks for your quick reply :slight_smile:
I’ll elaborate on our use case - we have a spring boot application which exposes APIs. We currently doesn’t have a web interface (UI), we want to allow users to use our APIs without UI (via their own clients).
We want to have the ability to define scopes for USERS to use our API, not via a web interface (other clients - curl,postman,swagger,etc). I hope It’s clearer now.

Actually I used both of the documentation you have sent. I’ve implmeneted the login-callback flow and currently using this method for the jwt configuration:
@EnableWebSecurity(debug = true)
public class Auth0SecurityConfig extends WebSecurityConfigurerAdapter {

protected void configure(HttpSecurity http) throws Exception {
            .forRS256(clientId, "https://" + domain + "/")
            .antMatchers("/callback", "/login", "/v1/isAlive", "/clientLogin").permitAll()


When tried to add “.antMatchers(”/v1/customers/*").hasAuthority(“read:customers”)", and gave my user the required permission, I get “forbidden”. When I look at the token I get from auth0 I see I have “permission” section but not “scope” section.