Auth0 Delegated Admin Dashboard Missing Scope Read:Users

I followed the guide here Delegated Administration Extension v3 but am getting Missing scope read:users instead of the dashboard.

What I have done:

  • Created a single page application an called it Users Dashboard
  • Given the Users Dashboard application a callback and logout URL as specified in the documentation
  • I already had a database connection from my application and I have the disable signups toggle enabled
  • I ensured that the Users Dashboard application only has the one database connection
  • I already had a user in the database connection
  • I created a role titled “Delegated Admin - User” and assigned it to the user in the database
  • I then created the following rule
function (user, context, callback) {
if (true) {
    const namespace = 'https://MY_TENANT.eu8.webtask.io/auth0-delegated-admin';
    context.idToken[namespace] = {
        roles: (context.authorization || {}).roles
    };
}
callback(null, user, context);
}

I then installed the delegated admin extension, giving it the client ID of the Users dashboard I created.

Then I clicked on the extension, logged in using the user credentials in the database and got the error:
Oh snap! An error occurred while loading the users list: Cannot perform action. Missing scope read:users

1 Like

Hi @samrobbins85,

welcome to the community.

Oh snap! An error occurred while loading the users list: Cannot perform action. Missing scope read:users

Can you post a screenshot of what the error looks like; wanting to see where exactly it occurs and what it looks like on screen.

Also, can you check if there’s any more info in the log details under Dashboard > Logs > Search


Just based on the error message you, I suggest to check one thing:

  1. get the client id of your application named auth0-delegated-admin
  2. go to Dashboard > APIs > Auth0 Management API > Test > copy/paste the token from there
  3. go to Auth0 Management API v2
  4. copy the token from step 2 in the upper-left hand corner
  5. then enter the client id from step 1 into the client_id field under section “Get client grants” (see screenshot below)
  6. check the result if for the Auth0 Management API, it actually has the read:users scope. (see screenshot below)

Or easier:

  1. Turn the auth0-delegated-admin from a “Generic” into a “Regular Web App” in the settings, then…
  2. …it will appear under Dashboard > APIs > Auth0 Management API > Machine to Machine
  3. and you can check it’s permissions from there:

I tried the second option you gave but got the same error, it looks like this

I checked the logs and there were no failed requests

Did you manage to fix this? We’re hitting the same issue now.

Not sure what @samrobbins85’s issue was, but it turns out our issue was a namespacing one if anyone comes up against the same error.

We were using an Auth0 domain for the attribute in our custom rule (see here), so it was being automatically excluded from our tokens. Any valid namespace works. I assume it just has to end in auth0-delegated-admin for the extension to pick up on it.

1 Like

Thanks a ton for sharing it with the rest of community @tmeumann_ais!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.