Confusion as how to get user roles from Angular SPA

It seems that I got still quite some confusion as how to get the user roles from my Angular SPA.

I am using auth0/auth0-spa-js and have followed the getting started tutorial for Angular applications. Login of users works fine, and I also added the function getTokenSilently$() to retrieve the access_token and put it in requests via Interceptor.

This is my auth0Client

    domain: '<MY_DOMAIN>',
    client_id: '<MY_CLIENT_ID>',
    redirect_uri: `${window.location.origin}`,
    scope: 'read:current_user',
    response_type: 'id_token token',
    audience: '<MY_PHP_REST_API_ADDRESS>'

I am able to fetch the user roles with following snippet:

getUserRoles$(userID: string): void {
    `<MY_DOMAIN>${userID}/roles`, {
    headers: new HttpHeaders().set('Authorization', `Bearer ${apiToken}`)

whereas apiToken is the hard coded test token taken from the auth0 page. However, if I take the access_token from the function getTokenSilently$() and try to get the roles with something like this, I get a 401 Unauthorized.

this.getTokenSilently$().subscribe(token =>
    `<MY_DOMAIN>${userID}/roles`, {
    headers: new HttpHeaders().set('Authorization', `Bearer ${token}`)
    roles => {
      this.roles = roles;

My suspicion is that the Management API needs another access_token as my Application API.

Here I read to get the access_token with something like the following:
    grant_type: 'client_credentials',
    client_id: '<MY_CLIENT_ID>',
    client_secret: '<MY_CLIENT_SECRET>',
    audience: '<MY_DOMAIN>'
    headers: new HttpHeaders().set('content-type', 'application/x-www-form-urlencoded')

but here again, I get the error “access_denied, Unauthorized”.

Obviously I am somehow lost. How can I achieve my goal of retrieving the roles for a specific user?

Hi @tschaika,

Welcome to the Community!

SPAs are limited to a very limited set of permissions against the management API.

Because of this, we can take a different approach to getting user roles. Instead of making an extra call to the management API, we can add the user’s roles to the token.

Hopefully this solves it!