Ok, I see.
So, you just want to update user_metadata, none of the root attributes (email, name, etc.).
Available scopes are limited as per your linked docs
You can ask for the following scopes:
read:current_userupdate:current_user_identitiescreate:current_user_metadataupdate:current_user_metadatadelete:current_user_metadata
…
so, for example, scope update:users isn’t.
Yes, I guess then it should be possible. TBH I haven’t tested it out myself yet with the older Auth0.js.
but without asking the user to re-login to get a token for the Management API audience
Even without helper method for updating a user profile in the newer auth0-spa-js SDK, you should still be able to get a proper access token for the management API with it. You just need to pass the audience parameter into the loginWithRedirect method.
Then use that token to make the Mgmt API call directly, without a helper method.
In case you need to get an access token for the Auth0 Mgmt API and one for your own API, so basically two access tokens, you can get the second one via Silent Authentication:
https://auth0.github.io/auth0-spa-js/classes/auth0client.html#gettokensilently
But in any case, since there’s an existing valid Auth0 session from the first login already, he wouldn’t need to re-login anyway.
So, summarizing: unless you really need this helper method to update the user profile in Auth0.js, you should be fine without it as well and can just use auth0-spa-js fine, if you don’t mind making that update request via a plain JS request.
In any case, whether you use one or two SDKs in your project: as long as you’re using the redirect flow via the Auth0 login page, which you do, and the user has a valid Auth0 session, he wouldn’t be prompted to re-login.
To avoid this second redirect (even though no prompt would be coming), you can rely on the mentioned Silent Authentication approach.