Hello,
I’m building an application that requires read:users access to my user’s Auth0 management api. What would be the best approach to the user to consent to provide this access and therefore grant me an Access (+Refresh?) token to execute this?
I’m not sure about your setup, so I don’t really understand why you would need a user’s permission to read their user info. If this is your own user, you should be able to just read their info through the /userinfo route. If it is some other user, they will not be able to authorize access to the management API by design; that API is meant for managing users and is restricted to authorized users.
If this is some user outside of your tenant that you want to get their information from, I think this is a use case for SSO; being able to authenticate and authorize with another Identity Provider. Because otherwise, you can’t just pass user information as plaintext, the JWT is encrypted and will not tell you anything.
As an aside, see here to learn how to get a Management API Access Token.
1 Like
It’s the owner of the Auth0 tenant – its so that I can run analysis on their users tables. What I really need is a way to get the production bearer token (as outlined in these steps: Get Management API Access Tokens for Production) but through a web app interface. It doesn’t sound like them posting client secrets into a web page is very secure.
1 Like
Hey @harshilmattoo !
Correct! In general, we recommend proxying requests through a backend if possible. While you can get a Management API access token in a SPA, the scopes/permissions are rather limited by design. Here’s a simple example using the node-auth0 ManagementClient: