Within my Flutter application I was able to get a JWT token for the management API and to use it to update the user_metadata.
In the Auth0 Dashboard I have 2 APIs:
- Auth0 Management API
- Auth0 Flutter user update API
At first I enabled the seconnd API only for read:current_user update:current_user_metadata create:current_user_metadata update:user_metadata create:user_metadata create:user_app_metadata update:user_app_metadata.
However in the first API, that as I understand is the father and controller, i can only see create:user_app_metadata update:user_app_metadata read:user_app_metadata.
This first configuration was not working, so I had to add to both APIs the update:user scope and permission
I have some very big concern now, I do not really understand the differences between the “scopes” tab and the “machine to machine” tab.
Also is not clear why in the father API I cannot see all scopes/permissions.
And there are some important questions too
- what does exposing the client_secret implies?
- with those permissions settings will every client be allowed to modify every user that exposes their ID in some way?
- how can I add the
update:user_metadataonly, to my second API? - how can I be sure that each client can only update the current logged in user_metadata?