In our company we use Auth0 for authentication of the frontend and backend. The backend normally just gets a JWT from the frontend to operate. A couple of calls need an access token for the API by the backend but this is obtained automatically, so that we can update the user for example. Now as a backend developer, it is really complicated to obtain a JWT for testing. You either need to use the generic one from the Auth0 dashboard (which fails on all of the management API calls) or you need to get the token manually i.e. by logging into the frontend and then having the JWT displayed there. How can we do this more efficiently? I was thinking of setting env variables for the backend devs, where they provide username and password and get a JWT for testing when they start the server, this doesn’t work however.
You can use the Auth0 CLI to generate access tokens:
auth0 test token -a https://<your-auth0-domain>/api/v2/ -s openid
Thanks for the response! However this doesn’t solve my problem. This only gives me the same generic token that I can access via the auth0 dashboard. The authentication works fine with that, but as soon as I want to update the user_metadata via the management API it says
Object didn't pass validation for format user-id: XXX@clients because it seems this is a generic token. I need exactly this token, but for a specific user.
Note: I had to change the audience to my actual API audience, otherwise it would say Audience doesn’t match.
I think this happens when you authenticate as a machine, but I could be wrong. Did you try authenticating as a user?
No it seems that you are absolutely correct. I used the machine-to-machine application that was supplied by auth0, but I should have used the frontend application with the command you provided. Thanks a lot!
Is there a way to achieve this via the HTTP API and not the command? I would like to improve the developer experience, so that not every backend developer has to call this command all the time, but that we can generate the access in the background and automatically apply the token for the user account. I imagine that they would set a user and password env variable and then we automatically generate a token every time they need one.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.