Using App Metadata to customize access token per client for M2M applications

gavin3466 · January 6, 2023, 7:31am

I have an API that needs to authorize access based on company_id. One way to do it is to maintain a mapping of the company ID and all the client IDs (M2M apps) it generates. I am wondering whether it’d be better/secure to just embed the company ID in the access token instead. Here is the workflow I plan to implement -

when a company creates the M2M app (via our portal), we put the company_id in the app metadata;
we then use Action to put App Metadata in the Access token as a custom claim;
Our API upon receiving the access token, decodes jwt and extract company_id and use it for authorization.

Will this work? Is that any security issue with this approach?

Thanks!!!

rueben.tiow · January 6, 2023, 5:21pm

Hi @gavin3466,

Thanks for reaching out to the Auth0 Community!

Yes! Your proposed approach will work and will be a secure way to handle authorization.

Here is a helpful FAQ resource I recommend reading: Adding custom claims to tokens

Please let me know if you have any additional questions.

Thanks,
Rueben

system · January 20, 2023, 5:22pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Implementing personal access token Help	10	3478	October 5, 2022
Client Credentials M2M Login customize token Help jwt , auth0 , rules , access-token	3	3789	May 11, 2020
Setting permissions per client for M2M applications Help	2	3930	August 27, 2020
Add uuid as custom claim to accesstoken Help jwt , auth0 , api , actions	6	3900	December 7, 2021
What is the correct method to protect client-facing API? Help access-token	5	2116	October 27, 2023

Using App Metadata to customize access token per client for M2M applications

Related topics