Auth0 Home Blog Docs

Can't assign scopes from management API using auth0-js


#1

I’m using Auth0 on an Angular 2 SPA, so it’s using auth0-js. I’m trying to enable the Management API so that I can create new users from the application without enabling public sign-ups, but it won’t assign any scopes to my token besides openid and profile. This is the code I use to initialize auth0:

auth0 = new auth0.WebAuth({
clientID: AUTH_CONFIG.clientID,
domain: “[domain name].auth0.com”,
responseType: ‘token id_token’,
audience: https://[domain name].auth0.com/api/v2/",
redirectUri: AUTH_CONFIG.callbackURL,
scope: "openid profile read:user "
});

I also tried to assign the scope in the authorize() function, but that doesn’t change anything.

I can assign scopes from a custom API, but not the management API.


#2

This is intentionally blocked. You wouldn’t want to have an access token on the frontend that can call the management API. This would be too dangerous because a user could look in their developer console and steal the access token and make calls directly to your management API.

To accomplish this, you would have to create your own proxy API that you can run safely on a server somewhere. This API can restrict the access to the management API to only a “signup” call that behaves like the database/signup call on the Authentication API. This API could use client credentials to get an access token for the management API that can create new users.

If you do this, then you can pass your own audience into that WebAuth constructor and use the access token for your own API to call the management API.

Of course, it is maybe better to just use the database signup endpoint instead.


#4

Database signup would do what I want to do, but I do not want users to be able to publically sign up for my website using the login page. Is there a way to change the login page so that the signup option doesn’t show up without disabling database signups completely?


#5

Looked at the Lock documentations, found out there’s an option to disable the sign up button.


#6

Just keep in mind that the endpoint is still there. I’m not sure how you are signing up users if you aren’t allowing them to do it on the login page. Is it that you don’t ever want a user to signup themselves, or just that you are hosting the signup page somewhere else?

If you don’t want a user to signup themselves, then you want the DB to disable signups otherwise anyone can just call the authentication signup method directly with postman and signup for your service.

If you want to just control it elsewhere, then you can just disable as you mentioned and then call signup from somewhere else.

Do keep in mind, that we recommend (and the standard recommends) doing signup at the authentication service (this would be at your login page). This is because during signup you collect the secret (password), and you need to be careful about which applications handle the password to avoid leaking that password through logging or having that application store it in an insecure way.


#7

This is the simplest solution I can use here because I need to link data from my own API with the auth0 login. I’m basically creating a new auth0 user, getting the user_id, and using that id with my own data.

Now I’m running into another issue. Now I’m getting an error saying signup() is not a valid function.


#8

You should just sign then up, then in a rule, call out to your backend API. You can use client credentials to get an access token to your own signup API. Just make sure the rule checks to see that the user’s app_metadata is missing your own API information. That way when you pull information from your API in the rule you can set the app_metadata on the user (make sure you call auth0.users.updateAppMetadata to persist the data). So it will only run the first time a user logs in. This will allow you to use the normal signup method.


#9

I don’t think you’re getting the order of settings right. I want to sign up the user from my own web site so that it creates both the user in the auth0 Username-Password-Authentication and on my own database using my own API. If I use the dashboard to create just the auth0 user, there’s no field to input for sending the data to my database.

Right now, I can’t use the signup() function in auth0.js despite the fact that there should be one and if I make a POST call to dbconnections/signup to create a new user from my website, I get a CORS error, but it works fine on Postman. What do I need to do to make one of these work?


#10

Never mind, just had to add the URL to allowed web origins.

But I’m still curious why signup() doesn’t exist as a function.