Ok, I see.
So, you just want to update user_metadata
, none of the root attributes (email, name, etc.).
Available scopes are limited as per your linked docs
You can ask for the following scopes:
read:current_user
update:current_user_identities
create:current_user_metadata
update:current_user_metadata
delete:current_user_metadata
…
so, for example, scope update:users
isn’t.
Yes, I guess then it should be possible. TBH I haven’t tested it out myself yet with the older Auth0.js.
but without asking the user to re-login to get a token for the Management API audience
Even without helper method for updating a user profile in the newer auth0-spa-js SDK, you should still be able to get a proper access token for the management API with it. You just need to pass the audience
parameter into the loginWithRedirect
method.
Then use that token to make the Mgmt API call directly, without a helper method.
In case you need to get an access token for the Auth0 Mgmt API and one for your own API, so basically two access tokens, you can get the second one via Silent Authentication:
https://auth0.github.io/auth0-spa-js/classes/auth0client.html#gettokensilently
But in any case, since there’s an existing valid Auth0 session from the first login already, he wouldn’t need to re-login anyway.
So, summarizing: unless you really need this helper method to update the user profile in Auth0.js, you should be fine without it as well and can just use auth0-spa-js fine, if you don’t mind making that update request via a plain JS request.
In any case, whether you use one or two SDKs in your project: as long as you’re using the redirect flow via the Auth0 login page, which you do, and the user has a valid Auth0 session, he wouldn’t be prompted to re-login.
To avoid this second redirect (even though no prompt would be coming), you can rely on the mentioned Silent Authentication approach.