Getting Management API Access Tokens for SPAs

Here’s what I’m trying to do:

  • Authenticate with Google to sign-in (done). I can get the user profile using auth0-spa-js, and that works.
  • Get the Access Token that was issued by Google in my SPA. I think I’ll need the management API to do that.
  • Call Google APIs using that access token

I have no idea how to do this without a backend. After reading several other questions that are similar, most people are redirected here: Call an Identity Provider API . The “frontend” part just says “first, build a backend.” One of the most important features of my app is that there is no backend, because we don’t want to have access to all of your data! If we did, it would make the Google review process even more burdensome.

I’m referring to this document: Get Management API Access Tokens for Single-Page Applications - it says “With a Management API Token issued for a SPA, you can access the following scopes (and hence endpoints).” and it goes on to list several scopes that make perfect sense, and are exactly what they need. Those scopes are limited to changing the currently signed-in user.

I think there’s a problem with this code, though:

          let returnToken = await auth0.getTokenWithPopup({
            authorizationParams: AUTH0_MANAGEMENT_API_CONFIG
          });

Where AUTH0_MANAGEMENT_API_CONFIG is:

{
    "audience": "https://dev-xxxxxxxxxx.us.auth0.com/api/v2/",
    "scope": "read:current_user,update:current_user_identities,create:current_user_metadata,update:current_user_metadata,delete:current_user_metadata,create:current_user_device_credentials,delete:current_user_device_credentials"
}

Now, the token that I get back does exist. But when I inspect it at jwt.io, I get: "scope": "". Then, when I construct the auth0.Management instance:

      auth0Manage = new Management({
        domain: "dev-xxxxxxxxxxxx.us.auth0.com",
        token: managementToken
      });

and I try to get the identities thusly:

       // u is my user object
      auth0Manage.getUser(u.sub, (err, profile) => {
        if (err) throw err;
        console.log(profile.identities);
      });

Then I get err set to an error caused by it being unauthorized. Maybe that’s because there are no scopes, even though I’m trying to get all of them? I verified that the u.sub equals the “sub” value in the JWT that’s returned in the management token.

In the headers for the response from /api/v2/users/<my sub>, I see Bearer error="Invalid token", if that helps.

Ah, solved it. Unlike other places where scopes are specified (for example, when defining a custom social connector), scopes must be separated with a space instead of a comma. I wish Auth0 would give some sort of error from the API when requesting invalid scopes!

1 Like

Glad that it’s working now and thanks for sharing your feedback! I’ll make sure to relay it to our engineering teams!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.