Authorization fails when trying to fetch /api/v2/users/

I have the following flow for my single page web app:

        const access_token = await getAccessTokenSilently({
          audience: 'https://dev-********.us.auth0.com',
          scope: ['read:users', 'read:user_idp_tokens'],
        }); 
        console.log("Access token: " + access_token)
        const userWithToken = await fetch("https://dev-********.us.auth0.com/api/v2/users/" + user.sub + "?include_fields=true", {
          headers: {
            Authorization: `Bearer ${access_token}`
          }
        })
        const token = userWithToken.identities[0].access_token 
        console.log("Token:" + token)
        const response = await fetch('https://api.github.com/users/' + user.nickname + '/repos', {
          headers: {
            Accept: `application/vnd.github+json`,
            Authorization: `token ${token}`,
          },
        });
        console.log(response)

The problem is that call to https://dev-********.us.auth0.com/api/v2/users/always fails. Either with 401 Bad audience error (if I specify https://api.github.com/ as an audience when doing getAccessTokenSilently) or Consent is required (if I specify https://dev-********.us.auth0.com/api/v2/ as an audience) or plain 400 (if I call getAccessTokenSilently without audience or any params).

How do I make this work?

Hi @altern,

I moved this topic to the #help category (please use this in the future for similar questions.

You cannot get the read:user_idp_tokens scope for a token requested from a client-side app.

You must use a backend service to retrieve the IdP token (github token).

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.