I am developing a SPA which implements the implicit grant. When I call the authorisation point I receive both tokens, access and ID, the later is being enriched via rules with elements from user_metadata.
One of my uses cases is allowing the user to update such metadata, and for that I need to call the PATCH /api/v2/user endpoint from the management API.
According to Auth0 docs (with my absolute agreement), you should never, ever call an API using you idToken (Reference). However the dilemma is that to the best of my knowledge I can’t get access to the management API using my actual auth flow, unless… I use my idToken, as it turns out that the tokens comes with specific scope permissions for that (Reference) .
I am missing something. I would really appreciate the point of view of someone with productions experience in this matter.
It’s not recommended to use the Id Token to call any API and, in particular, usage of these tokens to call the Management API will be deprecated soon. Any application that implements this should be updated by June 1st 2018 (we will have a migration guide ready by February 2018).
You can still get a Management API access token that has a set of scopes that allows it to perform certain actions on the current user. In particular, this access token would have an audience such as https://YOUR_TENANT.REGION.auth0.com/api/v2/ and the scopes that you can request are the following:
Please take into consideration that the user will receive a consent dialog when you use the audience I mentioned previously, if you are using localhost to test your application or if your Management API doesn’t have the “Allow Skipping User Consent” switch turned on.
You can find more information about this in this document.
however what is the recommended way of patching in the user metadata? I do not really want to authenticate a second time to receive an API manager token, nor want (dont even know if I can) to add this kind of capability to my client app which is using the implicit grant.
This only leaves me with the option of modifying the user_metadata from the backend… which I really dont like as I prefer to have totally independent data APIs from the authentication flow, it is one of the best advantages of auth0.
Otherwise I will just rather store that metadata in my own database as auth0 will just be a mere “cache” to retrieve such metadata with the IDtoken during the auth flow…