I am currently utilizing Auth0 in my application to authorize users. The typical flow involves users logging in through Auth0, which then performs SSO with an identity provider to issue a JWT token. This token is used in subsequent requests to my application’s backend (specifically AWS Lambda functions), where an authorizer validates the JWT and checks our users database for the appropriate permissions.
I am exploring an expansion of our authentication mechanisms to include the ability to log in users from another service that is not configured as an identity provider and, thus, cannot issue JWT tokens directly. My objective is to programmatically create a user via the Auth0 API and have Auth0 issue a JWT for this user. I would like to retrieve this JWT through an API so that it can be used seamlessly within my existing authorizer flow, without necessitating any modifications to how the authorizer validates tokens and permissions.
To this end, from my understanding, I need to create a database-type application within Auth0 and manage user creation within this application, ensuring users are created here if they do not already exist. Following this, I believe I should use the “Get a refresh token” endpoint, passing the user’s ID to obtain the JWT.
I have successfully created a database application and managed to create a user via the Create User endpoint. However, I encounter a problem when attempting to get the token: I receive a 403 response code with the message “Insufficient scope, expected: read:refresh_tokens”. This is puzzling because my Auth0 Management API has this scope in its permissions.
Could you please advise on the following:
Confirmation of the process to achieve my goal of issuing JWTs for users created via the Auth0 API from a non-identity provider service.
Clarification on why I am receiving a 403 “Insufficient scope” error despite having the “read:refresh_tokens” scope in my Auth0 Management API permissions.
Any additional steps or configurations I might be missing to properly obtain JWTs for users created in this manner.
Your guidance is crucial for expanding our authentication capabilities while ensuring the security and integrity of our authorization workflow. I appreciate your support and assistance in resolving these issues.
Best regards,
Eden