Allow currently logged in user of Web App to delete their account

jinteki · March 25, 2021, 12:13am

Hi,
I am rookie web developer, that is developing a SPA using NextJS and React. Authentication is handled by Auth0 via ‘auth0/nextjs-auth0’. This is the only Auth0 package that I have installed.

From within my web app, if the currently logged in user decides to click on ‘Delete Account’ how do I make the call to Auth0 to delete that user?

In the Auth0 Dashboard > APIs, I can see two APIs defined.

Auth0 Management API (system API): https://myapp.auth0.com/api/v2/ already exists.
MyApp (custom API)

I presume I can therefore make a call to ‘https://myapp.auth0.com/api/v2/users/{id}’?

If so how or where do I pass/set the scope?
Which scope is required ‘delete:users’ or ‘delete:current_user’?

Thanks.

stephanie.chamblee · March 25, 2021, 6:40pm

Hi @jinteki,

Welcome to the Community!

It is possible to get an Access Token for the Management API so that the current user can update their profile, however, they will not be able to delete their account. The DELETE /api/v2/users/{id} endpoint requires the delete:users permission which is not in the list of available scopes and endpoints for SPAs.

You can read more about getting an Access Token for your SPA here: Get Management API Access Tokens for Single-Page Applications

Here are a couple of options you might consider:

Allow users to deactivate their account by storing a flag in the user’s app_metadata that indicates whether the account is active or not. You could use the PATCH /api/v2/users/{id} endpoint for this and request the update:current_user_metadata as a scope for the Auth0Provider in the app.
Create a Machine-to-Machine application for your own custom API and authorize it to use the delete:users scope. Instead of the client making the request to the Management API, it would be the backend. For example, if you are using the Node Management API client :

  management.users.delete({ id: USER_ID }, function (err) {
    if (err) {
      // Handle error.
    }
 
    // User deleted.
  });

jinteki · March 26, 2021, 7:30pm

Hi @stephanie.chamblee,

Thanks for the reply. I implemented the second option of MtM and it all works.

Here are the steps that I went through in case it is useful for someone else.

Installed node-auth0.
From Dashboard > Applications, created a new MtM application, ‘MyApp MtM’.
Clicked on MyApp MtM > APIs, and set the Auth0 Management API authorized switch to ‘on’.
Clicked on the small ‘down arrowhead’ to the right of the Authorized switch and selected delete:users from the Permissions.

Then from my Web App I was able to call my deleteUser API which implements:

const ManagementClient = require('auth0').ManagementClient

const management = new ManagementClient({
                domain: 'my-app.auth0.com',
                clientId: '<MyApp MtM clientId>',
                clientSecret: '<MyApp MtM clientSecret>',
                scope: 'delete:users'
            })

        management.deleteUser({ id: auth0UserId }, function (err) {
            if (err) {
              // Handle error.
              console.log('> Delete Auth0 user, err = ', err)
            }
          
            // User deleted.
            console.log('Auth0 user deleted')
        })

Note: the ManagementClient now uses management.deleteUser

Thanks for your help.

stephanie.chamblee · March 26, 2021, 7:32pm

That’s great, thanks for sharing your solution in detail!

system · April 10, 2021, 7:32pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.