Hello!
My situation is very similar to the one presented here Accessing GitHub API.
This is a years old topic so I wanted to validate if the response is still the same.
If it is there is one thing that I don’t understand, why when I create the social connection to github I can selected github scopes? If I will never be able to use them.
The IDP (github) access tokens are available via the management API. This operation is covered here:
If you have a similar use-case as the thread you linked, specifically the part about wanting to do this all from a react (or similar client side) application, then the thread is still relevant. The issue here is that SPAs have very limited access to the management API, due to their public nature. If you have a backend or API you can proxy the request through there, making this possible via the doc I just linked.
Hello Dan, thanks for your help.
Does this proxy server need to be in the same domain as the SPA? Or can I have the following scenario?
User opens the SPA (my-spa.com) and gets an access token against my configured SPA app in Auth0 (e.g. abc.us.auth0.com), using Github credentials. (described here)
SPA makes a requests to my API (my-proxy-server.com) using the access token from step (1)
The proxy server validates the user access token from step (1) and extracts the user_id
The proxy server gets a Management API JWT token with scopes (user_idp_tokens) using Machine to Machine credentials (described here)
The proxy server calls /api/v2/user/{user-id} (described here) to get the Github token corresponding to the user.
The proxy server uses the token from step (5) to create a repo in Github in users behalf.
I think steps 4,5 and 6 are ok. My main concern is if I can send the access token to the proxy server if is in a different domain from the SPA (e.g. my-spa.com and my-proxy-server.com), these are steps 2 and 3.
