So at the outset I think I’m doing things a bit wrong. I’ve poured through past articles on this as well as the documentation linked there, but I think my mental model of the dataworkflow is off.
Approach
I’ve established a baseline Regular Web Application (NextJS) to provide two things:
- Fetch a User’s Roles
- Hiding direct calls to either the DB/views and our Internal API
To accomplish this, I have:
- A backend API server (i.e. what’s provided in the NextJS example)
- A frontend app (Also part of the NextJS boilerplate for interacting with privileged information)
- A Regular Web Application created via the Auth0 Dashboard
- A “Custom API” created the within the Auth0 Dashboard
- The pertinent User Role assigned to a select few internal devs
- List of Permissions (Scopes) – currently this is only comprised of
read:roles
- Login works fine, this all occurs when attempting to ask for User Roles
I realize read:roles
is part of the Management API, but we want to be able to grow the list of Roles in the future – hence I created a kindof API placeholder with just one role/perm.
Error
I am attempting to get more information from https://<AUTH0_ISSUER_BASE_URL>.auth0.com/oauth/token
which I think might be the problem area.
This is what I’m seeing:
{
"error": "unauthorized_client",
"error_description": "Grant type 'client_credentials' not allowed for the client.",
"error_uri": "https://auth0.com/docs/clients/client-grant-types"
}
However! Based upon the docs under the “Confidential applications” portion of the doc linked in that error, the Regular Web App should have client_credentials
enabled by default.
Questions
- Should I be utilizing the Management API exclusively at this stage then include the Custom API later?
- If so, what is the Endpoint/request body to understand a given User’s Roles assuming they have a valid JWT?
- is
'grant_type': 'client_credentials'
no longer the default for RWA’s? - Ultimately it’d be best to assess the User’s assigned Roles prior to rendering a page within the app, so is asking for Roles after rending the page bad practice? what are the alternatives?
Thank you