OAuth 2.0 Machine to Machine Authentication Best Practice


We want to implement a machine to machine authorization with OAuth2.0. But we are not sure how we can do Authentication (ie. How we can identify which client who connects with us). The use case would be:

  • Multiple clients with different OAuth credentials want to connect our service.
  • We are using JWT Token for the OAuth implementation.
  • With OAuth we can authorize them since they will have the valid token
  • We want to be able to identify which client to statistic need.

One solution could be the use of scope fields in JWT Token, but it seems like a hack rather than a proper solution.

Is there any best practice in this domain, for me it is more like a openId but for a machine.


Maybe you could retrieve the audience of the JWT token instead and use that to determine which client you need.

Hi @abroadhurst, thanks for the reply, what do you mean with the audience ?

if you decoded the jwt you can get the aud (audience) (https://jwt.io/). This can determine who signed off on the jwt (so which okta domain)