Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve Get Management API Access Tokens for Single-Page Applications #10239

Open
tonyhallett opened this issue Mar 18, 2023 · 1 comment
Open

Comments

@tonyhallett
Copy link

https://auth0.com/docs/secure/tokens/access-tokens/get-management-api-tokens-for-single-page-applications

Issues

In the instructions for Retrieve a Management API token it incorrectly links to Get Management API Access Tokens for Testing.

Given that you are linking to /api/v2/users/{id} the placeholder is id. The management api access token should be in the Authorization HTTP header using the Bearer authentication scheme.

Be sure to replace the USER_ID and MGMT_API_ACCESS_TOKEN placeholder values...

Suggestion

Provide the audience for below - https://{tenant}.auth0.com/api/v2/ ( as mentioned https://auth0.com/docs/secure/tokens/access-tokens/get-access-tokens#control-access-token-audience )
Reiterate that ths scope needs to be requested.

You can retrieve a Management API Token from a SPA (using the Management API’s audience to generate it) and use the token to call the Management API to retrieve the full user profile of the currently logged-in user.


Perhaps the scopes on the management api page should mention Scope for current user

@hannasm
Copy link

hannasm commented May 31, 2023

I have to agree with this ticket, it is a bit of a maze to find the pertinent information and that page seems to be the main search result i kept hitting from google / stack overflow / forums / etc...

It seems like this page has a good example of how to do this in the javascript api. I'm sure most of the other languages will work the same though. https://auth0.com/docs/libraries/auth0js#user-management

It's also odd that doing this from an SPA is discouraged considering my project did not require any server-side modifications to get this working. Perhaps this page should provide instructions on how to lock down a project to prevent users from accessing these scopes, and/or how to enable the relevant scopes if we want to go against the reccomendations.

Better yet how about just setup approriate DDoS protections for this scenario, so this use case can be part of the standard toolset instead of it being a potential vulnerability for anyone who doesn't get the configuration just right.

Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata. This can allow users to manipulate their own metadata in a way that could be detrimental to the functioning of the applications. It also allows a customer to do a DoS attack against someone's management API by just spamming it and hitting rate limits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants