Here’s what I’m trying to do:
- Authenticate with Google to sign-in (done). I can get the user profile using auth0-spa-js, and that works.
- Get the Access Token that was issued by Google in my SPA. I think I’ll need the management API to do that.
- Call Google APIs using that access token
I have no idea how to do this without a backend. After reading several other questions that are similar, most people are redirected here: Call an Identity Provider API . The “frontend” part just says “first, build a backend.” One of the most important features of my app is that there is no backend, because we don’t want to have access to all of your data! If we did, it would make the Google review process even more burdensome.
I’m referring to this document: Get Management API Access Tokens for Single-Page Applications - it says “With a Management API Token issued for a SPA, you can access the following scopes (and hence endpoints).” and it goes on to list several scopes that make perfect sense, and are exactly what they need. Those scopes are limited to changing the currently signed-in user.
I think there’s a problem with this code, though:
let returnToken = await auth0.getTokenWithPopup({
authorizationParams: AUTH0_MANAGEMENT_API_CONFIG
});
Where AUTH0_MANAGEMENT_API_CONFIG
is:
{
"audience": "https://dev-xxxxxxxxxx.us.auth0.com/api/v2/",
"scope": "read:current_user,update:current_user_identities,create:current_user_metadata,update:current_user_metadata,delete:current_user_metadata,create:current_user_device_credentials,delete:current_user_device_credentials"
}
Now, the token that I get back does exist. But when I inspect it at jwt.io
, I get: "scope": ""
. Then, when I construct the auth0.Management
instance:
auth0Manage = new Management({
domain: "dev-xxxxxxxxxxxx.us.auth0.com",
token: managementToken
});
and I try to get the identities thusly:
// u is my user object
auth0Manage.getUser(u.sub, (err, profile) => {
if (err) throw err;
console.log(profile.identities);
});
Then I get err
set to an error caused by it being unauthorized. Maybe that’s because there are no scopes, even though I’m trying to get all of them? I verified that the u.sub equals the “sub” value in the JWT that’s returned in the management token.
In the headers for the response from /api/v2/users/<my sub>
, I see Bearer error="Invalid token"
, if that helps.