I’m currently building a SPA with Ember.js and using Auth0 to handle user authentication.
One important feature for my app is that the user should be able to create, delete and update users directly from the app - not using the Auth0 dashboard (only the developers have access to the Auth0 account)
This article (The Auth0 Management APIv2 Token) describes how to get a token automatically with a Non-Interactive client using the Client Credentials grant, and involves passing your client_secret in order to retrieve an access token.
The problem is - I’m using a Javascript front-end framework and the client_secret can be viewed in the source code, by anyone visiting the app and clicking “show source”.
After some research, I found that SPAs are supposed to use the Implicit Grant flow to request an access token from an API - this would be a perfect solution, but it looks like I can’t use the Implicit Grant flow with the Auth0 management API.
So my question is: Can I use an Implicit Grant flow to get an access token from the Auth0 Management API?
If not, can I continue to use the Client Credentials exchange, as stated in the documentation, but somehow obscure the client_secret value in my front-end code?
I don’t want to have to write an API or write server-side code just to get an access token, unless there’s no other option.
I’m asking because I really can’t be the first person to run into this issue, and yet I’ve found no information on the topic, either here on the forums or in the Auth0 documentation articles.
Thanks in advance for any help or advice you can provide!
