Creating a new user via Auth0 Management API associates user to API app and not Angular SPA app

I have a back-end process for creating a new user in my Auth0’s user database. The user is getting created as expected, however, the email the user receives is welcoming the user to the API Explorer Application which is the application the back-end is using to create the user in Auth0.

How do I specify I want the new user associated with the Angular SPA application so the user receives a welcome message and link to the Angular SPA app? Right now, the generated user is receiving an email asking them to sign into API Explorer.

Thank you.

Hi @tom.schreck,

Have you registered your API with Auth0? If so, do you have its API identifier listed as the audience in your app’s auth_config file?

example from the Angular QuickStart:

{
  "domain": "YOUR_DOMAIN",
  "clientId": "YOUR_CLIENT_ID",
  "audience": "YOUR_API_IDENTIFIER",
  "apiUri": "http://localhost:3001",
  "appUri": "http://localhost:4200"
}

Thank you for your response. In my API code I’m using different configuration data representing different Auth0 applications.

In my API code, I have:

{
  "domain": "DOMAIN",
  "clientId": "CLIENT ID FOR ANGULAR SPA",
  "audience": "AUDIENCE FOR API (this is the https://url-to-my-api)"
}

The above configurations are used with jwt.VerifyOptions with my ApolloGateway configuration. This is used to validate incoming Bearer tokens.

In my API code, I also have the following configurations set as env variables:

AUTH0_CLIENT_ID=CLIENT ID FOR Machine-To-Machine API Explorer 
AUTH0_CLIENT_SECRET=SHHHHHHHHHHHH
AUTH0_API=URL to my Auth0 Management API

The above configurations are used with creating a connection to Auth0’s management api in order for me to manually create a new user. This new user is being created and is somehow being connected to my API app instead of my Angular SPA app. I need my API to create a new user programmatically on behalf of my Angular SPA app.

My new Auth0 user being created via my API needs to receive an email pointing them to Angular SPA and not to API.

Should AUTH0_CLIENT_ID (which is currently configured to my API) really be configured as the client id of my Angular SPA Auth0 app?

In your response, you mentioned:

do you have its API identifier listed as the audience in your app’s auth_config file?

When you say ‘your app’s auth_config file’, are you referring to my Angular SPA app, or my API app (because I have an auth_config file for each app)?

Thank you.

Should AUTH0_CLIENT_ID (which is currently configured to my API) really be configured as the client id of my Angular SPA Auth0 app?

Yes, in your API code, instead of using the machine-to-machine API explorer Client ID, I believe you should use the SPA Client ID

I was referring to the Angular app.

I’m working on recreating this behavior and will let you know what I find!

Looking at the example from the React Quickstart, it looks like the same auth configs should be used for both the API and the app.

You could try clicking the “LOGIN AND DOWNLOAD SAMPLE” button and starting up the sample app to see if that is the behavior you’re looking for.

Yes, I’m using machine-to-machine application to create a user in Auth0. This is working, but 'm not able to get the correct email to be sent.

I’ll try to switch out the client id to that of the SPA app.

Thank you for your help. I’ll let you know.

1 Like

Im confused. The quickstart examples you are pointing me to are for how the client app (SPA) establishes a connection to Auth0. I do not think these are applicable to my situation.

My backend API (written in Node) needs to establish a token with Auth0 in order to have the correct credentials to create a user via Auth0’s Management API. An SPA app is restricted from creating a new user per your documentation.

In my backend API, I’m needing to POST to ‘oauth/token’ requesting ‘client_credentials’ grant type to establish a token with the correct permissions in order to create a user. I’ve tried establishing this token with client id & client secret of my SPA app and this does not work. I can establish a token if I use the client id & client secret of my machine-to-machine application though.

How do I establish the correct token in order to create the user via Auth0’s Management Token and have that user associated with my SPA application so the user gets the correct welcome email?

Thank you

I found this tutorial:

and it allows me to login where I can configure code snippets with my application. I’m implementing the examples in my Node app and am getting this error:

HTTPError: Response code 403 (Forbidden)
{
  code: undefined,
  timings: {
    start: 1611172024488,
    socket: 1611172024495,
    lookup: 1611172024497,
    connect: 1611172024503,
    secureConnect: 1611172024526,
    upload: 1611172024526,
    response: 1611172024778,
    end: 1611172024783,
    error: undefined,
    abort: undefined,
    phases: {
      wait: 7,
      dns: 2,
      tcp: 6,
      tls: 23,
      request: 0,
      firstByte: 252,
      download: 5,
      total: 295
    }
  }

Here’s my POST from my node app:

await got.post('https://....',
{
   json:
   {
     grant_type: 'client_credentials',
     client_id: 'XXXXXX',
     client_secret: 'SHHHHHHHH',
     audience: 'https://....'
   },
   responseType: 'json'
});

I’ve triple checked I have the right clientId, secret, and urls directly from the link I found above.

I tried making POST for obtaining the proper token in PostMan and am receiving this error:

{
    "error": "unauthorized_client",
    "error_description": "Grant type 'client_credentials' not allowed for the client.",
    "error_uri": "https://auth0.com/docs/clients/client-grant-types"
}

So, it appears I cannot request ‘client_credentials’ against my SPA Angular application.

You should see both a React front-end application (server.js) and a Node API (api-server.js) in the example so you can see how the frontend application and API are set up, but I can see how it isn’t the best match for your application.

When you go to your dashboard and click APIs and then click “Auth0 Management API” and go to the “Machine to Machine Applications” tab, is your API listed as an authorized app?

No, actually it’s not listed.

Ah, okay! If you go to Applications and click “+CREATE APPLICATION” you can create a Machine-to-Machine application and authorize it to use the management API

I originally had a machine-to-machine app setup and it was creating the user like you expect, but the user was not getting associated with the Angular SPA app, so the email the newly created user receives welcomes the user to the API app and not the SPA app.

2 Likes

I see, that makes sense because the email template will use the application name. Users aren’t associated with applications, but rather the tenant. So if it is just the email template, I think you could customize the email template or maybe use client metadata within the template instead of the client name. I will test and see if that is an option and give more details if so.

The email I receive when I create a user via Auth0 Management API does not match the email templates. I’ve modified the following templates:

  • Verification Email (using Link)
  • Verification Email (using Code)
  • Welcome Email

The email I’m receiving contains:

'Click and confirm that you want to sign in to API Explorer Application. This link will expire in five minutes:'

I cannot find a template with this wording so I can change.

Yes, I’m using a custom email provider.

Not only is this email using the wrong application, it’s also taking user to the wrong URL when they click the sign-in button.

If you pass email_verified: true when creating the user, they will not receive the default email. You can then use the
POST
/api/v2/jobs/verification-email endpoint to send your customized email template

Oh, that might solve the issue. Lemme give it a spin

Do you know what data needs to go in the “identity” aspect of payload:

{
  "user_id": "google-oauth2|1234",
  "client_id": "",
  "identity": {
    "user_id": "???????   is this the same as user_id above ??????",
    "provider": "google-oauth2"
  }
}

The identity property is not required for DB connections. It is only needed if you are creating a secondary identity when using account linking or if you are wanting to verify a social/enterprise connection.

When trying to invoke jobs/verification-email I get this error:

{
“statusCode”: 400,
“error”: “Bad Request”,
“message”: “The user’s main connection does not support this operation”,
“errorCode”: “operation_not_supported”
}