I made an SPA (Angular2) thats supposed to connect to the Fitbit API while using Auth0.
I would like to use lock.js for this and I am able to get access to my Fitbit profile through Lock using the following params:
params: { audience: 'https:/***]/api/v2/', responseType: 'id_token token', scope: 'openid read:current_user' }
But, when I retrieve the JSON file I cant find the IDP token (access token) I would need to further access the Fitbit API, like activities for example.
Googling the problem it states I need to grant the read:user_idp_tokens scope. However, this gives access denied error… since this scope is not supposed to be accessed by an end-user, How do I proceed?
Access to the read:user_idp_tokens scope requires a token granted to a confidential client using the client credentials grant. The reason for this is that the underlying access token may have been issued (in this case by Fitbit) based on the assumption that it was in association with a server-side exchange and that it would never be exposed to the end-user and/or to code running within a client-side machine (which would be the case for a SPA).
Due to this requirement the correct approach for your SPA to access the Fitbit API using the access token issued to Auth0 is for it to call an intermediary API/service that is able to perform a client credentials grant. This intermediary needs to be provided by you and it should enforce the necessary access control you would see fit.
Okay, That made things clear now,
For now I will steer away from Angular2 and move over to MVC ASP.net,
I find this much more straightforward and I dont really need the SPA functionality anyway.
Thank you for the answer.