I’m trying to get a management token from a SPA. I have worked with a few projects where I can get a token either in an Action/Rule or a backend, but the SPA element is new to me. This is part of an account linking function in the SPA. First task. get a management API token.
The document here is
It states you get a management API token by triggering a request to the /authorize endpoint. The document also states that you need to include the Management API audience value, and the relevant scopes in the request.
What I’m missing is whether this request to /authorize is part of the initial OIDC with PKCE flow to authenticate the user, or a secondary request to /authorize for an already authenticated user.
So do I tack an audience value and the Management API scopes I need in addition to the standard OIDC parameters for a SPA, or log the user in first and then make a secondary call to the /authorize end point with the audience and scopes for the management API ?
I’ve tried the former, but don’t get a JWT back, so looking for a steer to support the docs. Thanks in advance.
Thanks for the detailed description - I guess first and foremost it would be good to know what exactly you are looking to accomplish via the Management API. I say this because any Management API access token you get via a SPA is going to be fairly limited and may not suffice for your use case.
Ideally, the getting and using of Management API access tokens should be handled by a backend as outlined in the following FAQ:
If you’re interested, here is an example using our Node Management Client paired with our React sample app.
The full requirement is this. Client Side account linking. This document describes exactly the requirement we are looking for.
It talks to being able to get an API token for the management API for the SPA, and I actually have this working now. To answer my own question, you need to add the relevant Management API scopes and the management API audience to your initial call to /authorize endpoint when authenticating the user. Auth0 then returns an access token ( JWT ) that can be used to make management API calls.
However, that document also calls out the limited scopes available for an access token for the management API issued to a SPA. I do not think I can leverage the Linking API with the scopes available to me. That’s the next step, but it would make documentation misleading.
Unfortunately the requirement is for this to be enabled in a SPA. No backend, which would be my preferred route and much simpler and more secure.
Thanks Ty. Appreciate you taking the time to get back to me.
Those docs definitely need tidying up then. The natural flow from the account linking documents takes you to client side management API usage, which is a dead end for a SPA.