Auth0 Swift SDK - Can the Patch Method be Used to Update a Username

Problem statement

The following Swift SDK document states that the patch method can be used to update user root attributes, including a username.

• Documentation
• https://auth0.github.io/Auth0.swift/documentation/auth0/userpatchattributes/

However, the following insufficient scope error is shown when trying to update a username.

failure(Failed with unknown error [“message”: Insufficient scope, expected any of: update:users,update:users_app_metadata,update:current_user_metadata, “errorCode”: insufficient_scope, “error”: Forbidden, “statusCode”: 403].)

Getting a Management API access token for updating a username does not seem possible, but the Swift SDK documentation states the patch method can update a username.

Symptoms

Error:
failure(Failed with unknown error [“message”: Insufficient scope, expected any of: update:users,update:users_app_metadata,update:current_user_metadata, “errorCode”: insufficient_scope, “error”: Forbidden, “statusCode”: 403].)

Cause

The patch method can no longer be used to update user root attributes.

Here is a more detailed history of this document. Please note that “Public Client” here includes SPA and mobile applications.

The Swift SDK document is out of date. Public Clients can’t ask for update:users scope per Get Management API Access Tokens for Single-Page Applications. This can be confirmed by inspecting the scope’s claim of the access token JWT in jwt.io . It won’t include the update:users scope.

The following are the available options from a public client when updating a user:

Scope:

• update:current_user_identities:
  • POST/api/v2/users/{id}/identities
  • DELETE /api/v2/users/{id}/identities/{provider}/{user_id}
• update:current_user_metadata:
  • PATCH /api/v2/users/{id}

The documents listed above date back to May 2016. Back then, it was possible to request the update:users scope and update a few root user attributes from mobile apps, including:

• email and phone number
• username
• blocked status
• user’s metadata

It was even possible to update the app’s metadata. Because of that, Auth0.swift included from version 1.0.0 the ability to update these properties. However, today, these capabilities have been restricted for security reasons, so it’s no longer possible to do these updates from mobile apps.

Solution

The documentation has been since updated, and most of the methods in the UserPatchAttributes type were deprecated, given that only the user metadata can be updated now using the patch() method.

The observed behavior is intended.