I am trying to build a CLI tool that uses the management API to configure my tenant. However, I’m running into insufficient scope errors, because none of the management scopes are being provided to my access token.
I’m requesting the access token from a Native client application using the Device flow. The token is issued, but none of the read:* scopes I request is granted, only the offline_access scope.
I can find that SPAs are limited in what they can do with the Management API, but nothing about Native apps. Using a M2M client would also work, but the tokens issued for such a client are user-independent (we’re with more than one admin). Also, that would mean the CLI has to be configured with the client secret, which does not seem like a good idea.
Making progress. First thing I learned is that I was trying this the wrong way, but I’m also still stuck.
It turns out that when authenticating, I was using my test user of my tenant, who (of course) does not have admin privileges. So that’s my mistake.
With that new insight, I would need to login with my Auth0 dashboard user account, which does not live in this tenant, but in the main auth0 tenant. Since I cannot create clients there, it seems that building this myself is not going to work.
I also found the Auth0 CLI, who does the process I covered above. It has a client in the main Auth0 tenant and uses the Device flow to authenticate an Auth0 admin user.
If I use this client’s info in my CLI, it actually gets a token with relevant scopes and allows me to access some information. Unfortunately, not all scopes are enabled for this CLI, so it still causes me issues.
The Management API is not meant to be called in the context of a user aside from a few scopes. (This would be good information to have in our docs for other types of applications than SPAs.)
Unfortunately, you won’t be able to create a client with the same capabilities as the Auth0 CLI client, because you can only sign in via device flow as a user of your tenant, not a tenant admin user.
To implement this, you could create an API that proxies requests to the Management API. The API would have a machine-to-machine application that is authorized to use the Management API with all of the scopes that you need (M2M tokens issued for internal APIs such as the Management API do not count toward the M2M token limit). And then you would register the API in your tenant and use its identifier as the audience in your CLI. The CLI would make requests to this API instead of the Management API directly.