Forbidden: Insufficient scope, expected one of: read:users AND read:roles, OR read:role_members

Hello,
I’m working on a rule used to add roles to the access token via management API. Before that I get the user roles (as I need them to check the existing roles)
Here is what I’m doing:

    const ManagementClient = require('auth0@2.35.0').ManagementClient;

    const management = new ManagementClient({
      token: auth0.accessToken,
      domain: auth0.domain
    });
    const rolesParams = { id: user.user_id };
    management.getUserRoles(rolesParams,function (err, user){
      if (err) {
        // Handle error.
        console.log(err);
      }
     console.log("success :::", user);
     callback(null, user, context);
    });
 ......

I got this error when executing this code:

Forbidden: Insufficient scope, expected one of: read:users AND read:roles, OR read:role_members

I checked the M2M permissions, they are all checked (including read:users, read:roles, read:role_members)

when I tried to decode the token generated by auth0.accessToken , obviously, the scope does not include the required permissions

  "scopes": {
    "users": {
      "actions": [
        "read",
        "update"
      ]
    }
  }

Any help appreciated

Hi @kahina

You need to do the client credentials grant in the rule, specifying your M2M client ID and secret, to get the access token with needed permissions.

Then you need to cache that, so you are not getting a new token on every login.

John

3 Likes

Hi @John,
Thanks a lot for your response, it works.

If another person met the same problem and couldn’t find a way, here is a topic that will help for sure

Kahina,

Thanks for the additional docs! – j

1 Like