Getting 'Unauthorized' when trying to fetch user profile

taboobat · September 13, 2023, 6:55pm

I’ve been trying to set up OAuth with Patreon so that I can query their API to find information about a user’s current subscription status, etc. In a previous post here I was pointed to the fact that I don’t get the access token from Patreon directly, but would need to use the Auth0 Management API to query the user and pull it from there – see Call an Identity Provider API.

This looks simple enough but I’m getting an ‘Unauthorized’ response on step 2 of the above linked doc. To simplify things I’ve just been testing via Postman so there are no libraries or anything getting in the way. What I did to set up:

Created a test application for the management API
Granted all permissions for that test application (I know you only need a couple, I just enabled all for testing)
Taken the user ID of the only user I have from the Users page in Auth0 (me from testing)

What I get when trying to query the API:

Run a POST to the /oauth/token endpoint:

curl --request POST \
  --url https://dev-{tenant}.us.auth0.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"{client_id}","client_secret":"{secret}","audience":"https://dev-{tenant}.us.auth0.com/api/v2/","grant_type":"client_credentials"}'

This works great, I get an access token back with all the many permissions I’ve granted it.

Attempt to query the user profile:

curl --request GET \
  --url 'https://dev-{tenant}.us.auth0.com/api/v2/users/%7B{user id}%7D' \
  --header 'authorization: Bearer {access token from 1}'

here I just get the string ‘Unauthorized’ back.

I think this might be because my user has only authorized my test application with Patreon and not the Management API application which is what the access token is granted for? But that seems like it should work, in the example from the linked doc their user has 1 identity from a Google login and the management API is able to load their info ok.

I checked the Logs page in Auth0 and I see the Success Exchange event from generating the access token, but I there are no entries added for when I hit the users endpoint and get the Unauthorized.

rueben.tiow · September 14, 2023, 6:53pm

Hi @taboobat,

I have checked your logs and can confirm that you are getting the access token for your test application successfully.

However, when checking your test application’s scopes, it does not have the required scopes to call the Management API’s Get a user endpoint.

Specifically, you will need to grant your test application the read:users, read:current_user, and read:user_idp_tokens scopes.

(Reference: Auth0 Management API v2).

Thanks,
Rueben

taboobat · September 14, 2023, 7:06pm

Are you talking about on this screen, the API’s Machine to Machine Applications tab? That’s where the docs linked me to.

When creating the test application I selected all the permissions just so that it wouldn’t be an issue during testing. However, even with all permissions granted I’m still getting Unauthorized on all my requests.

rueben.tiow · September 18, 2023, 5:42pm

Hi @taboobat,

Thanks for your reply.

In this case, could you please go to your Auth0 Dashboard > Applications > APIs > Auth0 Management API and click on the Test tab.

On that page, you should see a drop-down menu to select an application for testing. After you have selected your application, the next section has a code snippet that you can use to request an access token. Below that, is the Response section which has an access token.

Could you please use that access token that was provided against the Management API’s Get a user endpoint and let me know how it goes?

Thanks,
Rueben

taboobat · September 18, 2023, 5:52pm

@rueben.tiow that’s what I was using to try to test, and what was giving me ‘Unauthorized’ when trying to hit the users endpoint.

However, over the weekend I figured out how to authenticate with Patreon’s API directly without using Auth0 so I switched over to that instead. So I’m not sure what was going on with my Auth0 setup but I’m also not using it anymore

rueben.tiow · September 18, 2023, 6:39pm

Hi @taboobat,

I’m glad you were able to resolve your issue.

Let me also add that you should be able to use that access token against the Management API. I have tested this myself and can confirm that it works.

You can always verify that it works by following these steps:

This is a guaranteed way to use the Management API.

Thanks,
Rueben