I’m relatively new to Auth0 and would like some confirmation that I understand this correctly!
At the moment I am building a Mongodb/Express/Angular/Node SPA that uses auth0 to authenticate users. I have successfully followed the tutorial here: The Complete Guide to Angular User Authentication with Auth0 and setup routes with roles stored in the app_metadata for each user + used the JWT as middleware on routes on my backend.
Here’s where I get lost. In the above tutorial, there’s no need for the admin user to manage the other users. However, in my application, I would like the admin to be able to view all the users, and if needed create new users/delete old users from the app. I would also like users to be able to add additional information about themselves such as a bio or address.
From my understanding in order to achieve this I need to store additional user information in user_metadata and use the Management API via my node backend to achieve this, but I can’t seem to get my head around whether this is correct or not. The other option seems to be the less correct storage of additional user data on a local database and link it to the user_id, but this doesn’t answer how an admin user on my app can add/remove other users.
Does anyone know any good reading resources for this or even an example application which I can peruse to learn more?
You are definitely on the right track. User management can be done directly on the Auth0 Dashboard, or can be done via the Management API. The management API will require you to build your own UI, but provides more flexibility and ability to automate. This will need to be connected to a backend where the calls are actually being made, as it is more secure.
For users to add additional information to their profiles (user_metadata) you can make a call to the management API directly from your Angular app. SPAs are limited in scope due to their exposed nature. See more below:
In regards to storing user data, that can be done locally and by Auth0. You probably want to store a copy of user_id in a local database as users log in. Then you have a place to store more in depth user data like posts, blogs, etc.Typically the data stored in user_metadata or app_metadata should be related to authentication/authorization. Check out this best practices doc:
Let me know if this helps or if you have any further questions.
Actually sorry could I just clarify I understand correctly!
I use the Implicit Flow to allow users to login via Auth0 on my SPA and then call protected routes on my API.
If I wish to allow a user to view a list of users or delete/add users, I need to use the Client Credentials flow to give my backend access to the management API via its own access token.
So the whole process would be:
User visits my SPA/users page
SPA calls backend /users route.
Backend /users route requests an access token (with appropriate scope) and then makes a call to /api/v2/users
Users then returned to SPA via backend and displayed.
If this is the correct implementation - how should I handle the backend server’s access token - should I be requesting a new one with each request made ?