I have a Auth0 management api v2 for single page application (React.js). I m trying to implement
link-identities but it always return 401 UnAuthorized response.
This is response :
“statusCode”: 401,
“error”: “Unauthorized”,
“message”: “Invalid token”,
“attributes”: {
“error”: “Invalid token”
}
I’ve noticed that jwt tokens which sent in identities request didn’t created by update:users scope. When i try to add this scope into my get token request, it return that : “User is not authorized to the audience for those scopes”
Hi @dan.woda thank you for response. I been trying to handle with client side account linking implementation. but it throw me 401 Unauthorized error. I m sending primary account’s access token which is obtained with update:current_user_identities scope at header. In the body, sending seconday account ID token as link_with parameter.
Also my request url is like this: https://domain/api/v2/users/604f0baad113b5006ddd6797/identities
(primary account user_id)
{
“statusCode”: 400,
“error”: “Bad Request”,
“message”: “Path validation error: ‘Object didn’t pass validation for format user-id: 604f0baad113b5006ddd6797’ on property id (ID of the primary user account to link a second user account to).”,
“errorCode”: “invalid_uri”
}
{
"statusCode": 403,
"error": "Forbidden",
"message": "User to be acted on does not match subject in bearer token.",
"errorCode": "unowned_resource"
}
Let me clarify my use case one more time:
1 - I have two registered account. One of is email account without social. I m getting it’s access token via https://domain_name/oauth/token endpoint with update:current_user_identities scope.
2 - Second account is registered with social via microsoft connection. I m getting it’s ID token with update:current_user_identities scope.
In my request , i m sending email account’s access token at header as authorization paramater with Bearer prefix.
Second account’s ID token is sending at body as link_with parameter.
At request url, adding first account’s user_id as part of url. Tried it with 3 ways :
The user_ID in your URL should be auth0%7C604f0baad113b5006ddd6797 - the other requests were sufficient to pass the URL string validation the endpoint has, but the user requested by the URL did not match the “sub” claim in the presented access token as they were missing the “0”.