I’ve been trying to set up OAuth with Patreon so that I can query their API to find information about a user’s current subscription status, etc. In a previous post here I was pointed to the fact that I don’t get the access token from Patreon directly, but would need to use the Auth0 Management API to query the user and pull it from there – see Call an Identity Provider API.
This looks simple enough but I’m getting an ‘Unauthorized’ response on step 2 of the above linked doc. To simplify things I’ve just been testing via Postman so there are no libraries or anything getting in the way. What I did to set up:
- Created a test application for the management API
- Granted all permissions for that test application (I know you only need a couple, I just enabled all for testing)
- Taken the user ID of the only user I have from the Users page in Auth0 (me from testing)
What I get when trying to query the API:
- Run a POST to the
/oauth/token
endpoint:
curl --request POST \
--url https://dev-{tenant}.us.auth0.com/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"{client_id}","client_secret":"{secret}","audience":"https://dev-{tenant}.us.auth0.com/api/v2/","grant_type":"client_credentials"}'
This works great, I get an access token back with all the many permissions I’ve granted it.
- Attempt to query the user profile:
curl --request GET \
--url 'https://dev-{tenant}.us.auth0.com/api/v2/users/%7B{user id}%7D' \
--header 'authorization: Bearer {access token from 1}'
here I just get the string ‘Unauthorized’ back.
I think this might be because my user has only authorized my test application with Patreon and not the Management API application which is what the access token is granted for? But that seems like it should work, in the example from the linked doc their user has 1 identity from a Google login and the management API is able to load their info ok.
I checked the Logs page in Auth0 and I see the Success Exchange event from generating the access token, but I there are no entries added for when I hit the users endpoint and get the Unauthorized.