Auth0-js : can't set scope

Hello,

I want to be able to update user metadata. When i send a PATCH request i get in return : Insufficient scope, expected any of: update:users,update:users_app_meta, which seem pretty clear.

Then I update my login function in my front, and add the required scope :

const options = {
scope: ‘openid profile offline_access read:current_user read:current_user_metadata update:users_app_meta’,
audience: https://<my-tenant>.eu.auth0.com/userinfo,
responseType: ‘code’
};

but when I decode the acces_token, I dont have the new scope I added.

{
“iss”: “https:// .eu.auth0.com/”,
“sub”: “auth0|5da4…e74988198”,
“aud”: [
“https://.eu.auth0.com/api/v2/”,
“https://.eu.auth0.com/userinfo”
],
“iat”: 1589716264,
“exp”: 1589719864,
“azp”: “V3KIi…aN”,
“scope”: “openid profile offline_access” <----- no update:users_app_meta
}

AS you can see, even my other added scopes (s read:current_user read:current_user_metadata) doesn’t appears here, can you help me figure it out ?

Thanks

Hi @saytaine,

We need some more details regarding you issue. Would you please mention which token you using when going for patch call?

Hi @rashid779939
I used acces_token.
I tried with a generated test token from my dashboard and it works, because test token has every scope added

Hi @saytaine,

It looks like you are trying to issue an access token to a user, using the authorization_code grant, that can be then used to call the management API.

An access token for calling the management API needs to be issued to a backend process (not a user), using the client_credentials grant:

As a security note, when requesting an access token to all the management API with, only request the scopes you need for that request.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.