We need to allow a user with an elevated role to set/modify the role of other users. Currently we are storing their role in their app_metadata. How can we allow someone to modify someone else’s app_metadata from within our application?
We are have an SPA with angular v1.3, lock v10, auth0js v8.
You can make use of Auth0 Management API’s Update a user endpoint to modify the user’s app_metadata from within the application. You can put role based checks to only allow user with an elevated role to set/modify the role of other users.
Thanks for the response.
How would I go about implementing that without needing to store an API key somewhere on the frontend?
You can store the API key and other info in a configuration file(a json file) and use gulp to generate an angular module of constants which can be used in the app without leaking potentially sensitive info into your repo. More details around this can be found here.
ok I came across this, which looks like a more secure alternative. We will probably use/mimic this implementation: GitHub - twistedstream/auth0-user-management-service: A webtask service that allows "admin" users within an Auth0 account to manage other users
Do you have any thoughts on it?