I am developing a SPA which implements the implicit grant. When I call the authorisation point I receive both tokens, access and ID, the later is being enriched via rules with elements from
One of my uses cases is allowing the user to update such metadata, and for that I need to call the
PATCH /api/v2/user endpoint from the management API.
According to Auth0 docs (with my absolute agreement), you should never, ever call an API using you idToken (Reference). However the dilemma is that to the best of my knowledge I can’t get access to the management API using my actual auth flow, unless… I use my
idToken, as it turns out that the tokens comes with specific scope permissions for that (Reference) .
I am missing something. I would really appreciate the point of view of someone with productions experience in this matter.