You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the instructions for Retrieve a Management API token it incorrectly links to Get Management API Access Tokens for Testing.
Given that you are linking to /api/v2/users/{id} the placeholder is id. The management api access token should be in the Authorization HTTP header using the Bearer authentication scheme.
Be sure to replace the USER_ID and MGMT_API_ACCESS_TOKEN placeholder values...
You can retrieve a Management API Token from a SPA (using the Management API’s audience to generate it) and use the token to call the Management API to retrieve the full user profile of the currently logged-in user.
I have to agree with this ticket, it is a bit of a maze to find the pertinent information and that page seems to be the main search result i kept hitting from google / stack overflow / forums / etc...
It's also odd that doing this from an SPA is discouraged considering my project did not require any server-side modifications to get this working. Perhaps this page should provide instructions on how to lock down a project to prevent users from accessing these scopes, and/or how to enable the relevant scopes if we want to go against the reccomendations.
Better yet how about just setup approriate DDoS protections for this scenario, so this use case can be part of the standard toolset instead of it being a potential vulnerability for anyone who doesn't get the configuration just right.
Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata. This can allow users to manipulate their own metadata in a way that could be detrimental to the functioning of the applications. It also allows a customer to do a DoS attack against someone's management API by just spamming it and hitting rate limits.
https://auth0.com/docs/secure/tokens/access-tokens/get-management-api-tokens-for-single-page-applications
Issues
In the instructions for Retrieve a Management API token it incorrectly links to Get Management API Access Tokens for Testing.
Given that you are linking to /api/v2/users/{id} the placeholder is id. The management api access token should be in the Authorization HTTP header using the Bearer authentication scheme.
Suggestion
Provide the audience for below - https://{tenant}.auth0.com/api/v2/ ( as mentioned https://auth0.com/docs/secure/tokens/access-tokens/get-access-tokens#control-access-token-audience )
Reiterate that ths scope needs to be requested.
Perhaps the scopes on the management api page should mention Scope for current user
The text was updated successfully, but these errors were encountered: