Fetching 'user:roles' and "Grant type 'client_credentials' not allowed for the client" error

So at the outset I think I’m doing things a bit wrong. I’ve poured through past articles on this as well as the documentation linked there, but I think my mental model of the dataworkflow is off.

Approach

I’ve established a baseline Regular Web Application (NextJS) to provide two things:

  • Fetch a User’s Roles
  • Hiding direct calls to either the DB/views and our Internal API

To accomplish this, I have:

  • A backend API server (i.e. what’s provided in the NextJS example)
  • A frontend app (Also part of the NextJS boilerplate for interacting with privileged information)
  • A Regular Web Application created via the Auth0 Dashboard
  • A “Custom API” created the within the Auth0 Dashboard
  • The pertinent User Role assigned to a select few internal devs
  • List of Permissions (Scopes) – currently this is only comprised of read:roles
  • Login works fine, this all occurs when attempting to ask for User Roles

I realize read:roles is part of the Management API, but we want to be able to grow the list of Roles in the future – hence I created a kindof API placeholder with just one role/perm.

Error

I am attempting to get more information from https://<AUTH0_ISSUER_BASE_URL>.auth0.com/oauth/token which I think might be the problem area.

This is what I’m seeing:

{
  "error": "unauthorized_client",
  "error_description": "Grant type 'client_credentials' not allowed for the client.",
  "error_uri": "https://auth0.com/docs/clients/client-grant-types"
}

However! Based upon the docs under the “Confidential applications” portion of the doc linked in that error, the Regular Web App should have client_credentials enabled by default.

Questions

  • Should I be utilizing the Management API exclusively at this stage then include the Custom API later?
  • If so, what is the Endpoint/request body to understand a given User’s Roles assuming they have a valid JWT?
  • is 'grant_type': 'client_credentials' no longer the default for RWA’s?
  • Ultimately it’d be best to assess the User’s assigned Roles prior to rendering a page within the app, so is asking for Roles after rending the page bad practice? what are the alternatives?

Thank you

No longer an issue. For those who come across this, the model was wrong. Really should’ve been using Auth0 Rules from the start, that way, you can enrich your JWT and check User Roles at the frontend (if any are assigned).

This is a better overview of how to accomplish this:

1 Like

Perfect! Thanks for sharing with the rest of community!