Any guidance on regular web app crdentials correct usage to access Management API?

h825 · January 29, 2024, 11:09am

Working on Remix app that reuses Management API client defined like this (to update user / metadata):

import { ManagementClient } from 'auth0';

const management = new ManagementClient({
    domain: getOrThrow("AUTH0_DOMAIN"),
    clientId: getOrThrow("AUTH0_CLIENT_ID"),
    clientSecret: getOrThrow("AUTH0_CLIENT_SECRET"),
});

...

return await management.users.update({ id: userId }, filteredUpdate);

It doesn’t work with message:

AuthApiError: Client is not authorized to access "https://MY_AUTH0_DOMAIN.au.auth0.com/api/v2/". You need to create a "client-grant" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants

Ok, reading article and trying to create grants exactly as described in the documentation:

curl -L 'https://login.auth0.com/api/v2/client-grants' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d '{
    "client_id":"MY_CLIENT_ID",
    "audience":"https://MY_APP_DOMAIN.au.auth0.com/api/v2/",
    "scope":["create:client_grants"]
}'

and it fails with error

{"statusCode":401,"error":"Unauthorized","message":"Missing authentication"}

It seems like either I missing something or documentation is incomplete, but I cannot get what to fix.

All the credentials are used on the server side and never leaking to the client.

Please assist!

marcelina.barycka · January 29, 2024, 3:05pm

Hey there @h825 ,

Your Management API Client has to be added to your Auth0 tenant as an M2M application. This M2M application has to be Authorized for the Management API along with relevant permissions, like update:users (you can do all this via Auth0 dashboard):

In your case I believe you are missing the last part - permissions.

Please let us now how it goes!

h825 · January 29, 2024, 7:33pm

Thank you @marcelina.barycka. I try to do that but could you please point me also to the docs section which describes WHY it works this way. I checked “flows” section and it seems legit to use client id/secret for actions like this. Now I cannot get full work cycle.

marcelina.barycka · January 30, 2024, 11:15am

You’re welcome @h825 !

I believe you ask why in a backend service (like a regular web app) you still need to use the Management Api Client credentials and a linked to it M2M flow.

Any time you want to:

update user data
perform administrative tasks to your Auth0 tenant

you use the M2M apps granted relevant for these tasks permissions.

In contrast, if your backend service integrate with Auth0 to perform user’s authentication and authorization, you use flows reserved to Regular Web Apps.

system · February 13, 2024, 11:16am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.