Modify user_metadata with access token

I’ve been looking for an answer but I haven’t found one.
Is there a way that I can modify the data in user_metadata after I did a normal login?
What I mean is: can I allow the user that has just logged in using the normal oauth to call an endpoint to modify the data, if yes: what’s the endpoint or SDK api to do so?

I read that the user can modify user_metadata e read only app_metadata, but I cannot find an example how to do so.

I know I can modify the data using the token specific for API management with the right scope, but I’m not able to login with the scope to change it from a normal client, and I’d like to avoid to need to create a API layer just to receive the request from the user and then modify the user with the admin Management API.

2 Likes

You can get a Management API access token, that is, a token that has an audience similar to this one https://YOUR_TENANT.REGION.auth0.com/api/v2/ that has a set of scopes that allows it to perform certain actions on the user that has logged in without having to create an extra API layer. The scopes that you can access this way are the following:

read:current_user
update:current_user_identities
create:current_user_metadata
update:current_user_metadata
delete:current_user_metadata
create:current_user_device_credentials
delete:current_user_device_credentials

If you want to update the user’s metadata, you would use this scope update:current_user_metadata. You would then call the corresponding Management API endpoint with that token.

Please take into consideration that the user will receive a consent dialog if you are using localhost or if your Management API doesn’t have the “Allow Skipping User Consent” switch turned on.

You can find more information about this in this document.

2 Likes

Not really sure how this answers OP’s question. OP is aware of the management API and is looking to avoid it. Are you suggesting that we create a fake “machine to machine” app to represent the client? Would this be “safe” if we limited this fake machine user to only the “update:current_user_metadata” scope? I actually tried to this but was not able to find the “update:current_user_metadata” scope.

Hey @simon.vuong, I can see your cause of confusion. Usually calling the management API is reserved for machine-to-machine scenarios and is not something you would want to perform on the client side.

This is a special case, however (although not very well documented, I admit). There are a few management API scopes that you can request during a regular authentication. Here’s an example:

    var auth0 = new auth0.WebAuth({
      domain: 'AUTH0_DOMAIN',
      clientID: 'CLIENT_ID',
      responseType: 'token id_token',
      redirectUri: 'REDIRECT_URI',
      audience: 'https://AUTH0_DOMAIN/api/v2/',
      scope: 'openid profile email update:current_user_metadata'
    });

    auth0.authorize();

This will return an access token that can be used to call the management API - in this case that only can update the current user’s metadata.

Only the scopes that Anny listed in her answer can be requested like this. Note that all those scopes have to do with current_user - who is logged in at the moment, hence it’s safe to use them in the client-side. You do not need to create a separate machine-to-machine app to use this.

Makes sense?

4 Likes