Auth0 Home Blog Docs

Api/v2/users returns Bad Request

Hi,
I’m trying to receive profile information using the endpoint GET /api/v2/users/myUserId, but I always get:
{
“statusCode”:400,
“error”:“Bad Request”,
“message”:“Bad HTTP authentication header format”,“errorCode”:“Bearer”
}

I use method UsersAPIClient:getProfile() from your library Auth0.Android. When I log in I send next scopes: “openid profile email offline_access read:users read:user_idp_tokens”.

I also tried to call it using curl:

curl --request GET
–url ‘https://mydomain.auth0.com/api/v2/users/email|666example666
–header ‘authorization: Bearer myAccessToken’

I also tried to change the format of user id: part without word ‘email’, change symbol ‘|’ to ‘%7C’, but result didn’t change.

Help me, please

Most of the scopes available to call Management API can only be obtained via a client credentials grant (https://auth0.com/docs/api/management/v2/tokens). The scope read:users would be an example of a scope that required client credentials; this means that you can’t obtain a valid access token to call an endpoint that requires that scope through an end-user based authentication request.

In addition, given this is a native application which is an OAuth 2.0 public client you won’t be able to perform client credentials from that application. Based on the scopes you’re requesting your goal seems to be obtaining end-user access tokens associated with a social provider. You can technically achieve this by having a back-end you control perform the client credentials grant, however, you would need to be very careful about these access tokens and the general recommendation would be to not surface them to a native client application.

In conclusion, if the use case assumption above is correct you should likely have a back-end API in the middle to handle social provider access tokens obtained as part of a login and use them to perform actions, but never exposing the access token itself to the native client. Also, you would still need to ensure proper authentication and authorization in your back-end API, but at least you would not expose the tokens directly.

Finally, if you’re wondering why go through that if I’ll likely need to obtain a different access token to call the back-end API which in turn will use the social access token to do some action. The reason is that the social providers access tokens obtained as part of a login were obtained through a back-end flow where client authentication could be performed; due to this the access token may have characteristics that are not suitable for a public client (for example, an extended lifetime).

1 Like

Thank you for your detailed answer.
My final goal is to add additional information to all accounts which authenticate in my application. Firstly, I tried using method updateMetadata() from a library Auth0.Android, but I received the same error (Bad Request). After that I decided to try other methods from same endpoint api/v2/users/.
How can I add additional information? Is it possible only by using your describing method?

If the additional information to add is always in respect to the user that completed the logged in and this information is directly manageable by end-users then you could store it as part of user_metadata. As I mentioned before, most scopes for Management API cannot be obtained in an end-user flow, however, it’s possible to obtain some scopes that allow operation to be performed in a single user (the one that logged in).

One of those operations would be updating user_metadata; there’s reference information on how to obtain such access token at (https://auth0.com/docs/api/management/v2/get-access-tokens-for-spas). This page is associated with SPA’s, but native applications are also OAuth 2.0 public clients like SPA’s so the same would apply to them.