Auth0-js : can't set scope

saytaine · May 17, 2020, 12:01pm

Hello,

I want to be able to update user metadata. When i send a PATCH request i get in return : Insufficient scope, expected any of: update:users,update:users_app_meta, which seem pretty clear.

Then I update my login function in my front, and add the required scope :

const options = {
scope: ‘openid profile offline_access read:current_user read:current_user_metadata update:users_app_meta’,
audience: https://<my-tenant>.eu.auth0.com/userinfo,
responseType: ‘code’
};

but when I decode the acces_token, I dont have the new scope I added.

{
“iss”: “https:// .eu.auth0.com/”,
“sub”: “auth0|5da4…e74988198”,
“aud”: [
“https://.eu.auth0.com/api/v2/”,
“https://.eu.auth0.com/userinfo”
],
“iat”: 1589716264,
“exp”: 1589719864,
“azp”: “V3KIi…aN”,
“scope”: “openid profile offline_access” <----- no update:users_app_meta
}

AS you can see, even my other added scopes (s read:current_user read:current_user_metadata) doesn’t appears here, can you help me figure it out ?

Thanks

rashid779939 · May 18, 2020, 8:17am

Hi @saytaine,

We need some more details regarding you issue. Would you please mention which token you using when going for patch call?

saytaine · May 18, 2020, 8:34am

Hi @rashid779939
I used acces_token.
I tried with a generated test token from my dashboard and it works, because test token has every scope added

andy.carter · May 18, 2020, 3:53pm

Hi @saytaine,

It looks like you are trying to issue an access token to a user, using the authorization_code grant, that can be then used to call the management API.

An access token for calling the management API needs to be issued to a backend process (not a user), using the client_credentials grant:

As a security note, when requesting an access token to all the management API with, only request the scopes you need for that request.

system · June 2, 2020, 3:53pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.