Can't get token with update:users scope

I have a Auth0 management api v2 for single page application (React.js). I m trying to implement
link-identities but it always return 401 UnAuthorized response.

Here is my request :
Request url : https://domain/api/v2/users/primary_user_id/identities
Header: Authorization: ‘Bearer primary_Account_token’
Body : link_with: secondary_account_token

This is response :
“statusCode”: 401,
“error”: “Unauthorized”,
“message”: “Invalid token”,
“attributes”: {
“error”: “Invalid token”
}

I’ve noticed that jwt tokens which sent in identities request didn’t created by update:users scope. When i try to add this scope into my get token request, it return that : “User is not authorized to the audience for those scopes”

Can you help me about that ? Thanks

Hi @enes,

Welcome to the Auth0 Community!

You should not allow your SPA to obtain a management API access token with the update:users scope. This doc is helpful if you would like to know more about why that is not allowed.

The client side account linking implementation requires a update:current_user_identities scoped token.

Hi @dan.woda thank you for response. I been trying to handle with client side account linking implementation. but it throw me 401 Unauthorized error. I m sending primary account’s access token which is obtained with update:current_user_identities scope at header. In the body, sending seconday account ID token as link_with parameter.

Also my request url is like this: https://domain/api/v2/users/604f0baad113b5006ddd6797/identities
(primary account user_id)
{
“statusCode”: 400,
“error”: “Bad Request”,
“message”: “Path validation error: ‘Object didn’t pass validation for format user-id: 604f0baad113b5006ddd6797’ on property id (ID of the primary user account to link a second user account to).”,
“errorCode”: “invalid_uri”
}

If i send https://domain/api/v2/users/auth|604f0baad113b5006ddd6797/identities
(with auth| prefix)
{
“statusCode”: 403,
“error”: “Forbidden”,
“message”: “User to be acted on does not match subject in bearer token.”,
“errorCode”: “unowned_resource”
}

Have you tried URL encoding the pipe character (|)?

@dan.woda I’ve tried like this :
https://dev-get-local.auth0.com/api/v2/users/auth`|`604f0baad113b5006ddd6797/identities
(pipe character encoded is %7C).
And response from endpoint :

{
    "statusCode": 403,
    "error": "Forbidden",
    "message": "User to be acted on does not match subject in bearer token.",
    "errorCode": "unowned_resource"
}

Let me clarify my use case one more time:

1 - I have two registered account. One of is email account without social. I m getting it’s access token via https://domain_name/oauth/token endpoint with update:current_user_identities scope.
2 - Second account is registered with social via microsoft connection. I m getting it’s ID token with update:current_user_identities scope.

In my request , i m sending email account’s access token at header as authorization paramater with Bearer prefix.
Second account’s ID token is sending at body as link_with parameter.
At request url, adding first account’s user_id as part of url. Tried it with 3 ways :

https://dev-get-local.auth0.com/api/v2/users/auth`|`604f0baad113b5006ddd6797/identities
https://dev-get-local.auth0.com/api/v2/users/auth|604f0baad113b5006ddd6797/identities
https://dev-get-local.auth0.com/api/v2/users/604f0baad113b5006ddd6797/identities

Nothing is works.

This fixed the issue :

The user_ID in your URL should be auth0%7C604f0baad113b5006ddd6797 - the other requests were sufficient to pass the URL string validation the endpoint has, but the user requested by the URL did not match the “sub” claim in the presented access token as they were missing the “0”.

1 Like

Glad you were able to figure it out.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

We have created a FAQ related to this topic. Please check it out: How to Implement Client-Side User Initiated Account Linking