How do I create a token that will allow me to create a new client using the management API?

oclipa · March 26, 2024, 5:28pm

My tenant contains the default Auth0 Management API and a custom API. Using the .NET SDK, I want to create a new MachineToMachine client for the custom API.

I first want to create a token that will allow me to create a new client. I believe I need to use code similar to the following:

var restClient = new RestClient("https://[MY_TENANT].us.auth0.com");
var request = new RestRequest("oauth/token", Method.Post);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"client_id\":\"[CLIENT_ID]\",\"client_secret\":\"[CLIENT_SECRET]\",\"audience\":\"[AUTH0_MANAGEMENT_API_AUDIENCE]\",\"grant_type\":\"client_credentials\"}", ParameterType.RequestBody);
RestResponse response = restClient.Execute(request);

Questions:

What values should I use for CLIENT_ID and CLIENT_SECRET?
Do I need to manually need to create a “master” client to obtain the id and secret?
If I need to manually create a master client, to which API do I authorize this: the Auth0 Management API or the custom API?
What should I be using for the Audience value: the one for the Auth0 Management API or for the custom API?

I have tried manually creating a master client, however if I specify the audience as [AUTH0_MANAGEMENT_API_AUDIENCE], the token that gets generated fails with a “invalid token” error. If I specify the audience as [MY_CUSTOM_API_AUDIENCE], it fails with a “bad audience” error.

The generated token looks something like this:

{
  "iss": "https://[MY_TENANT].us.auth0.com/",
  "sub": "[CLIENT_ID]@clients",
  "aud": "[AUDIENCE]",
  "iat": 1711472848,
  "exp": 1711559248,
  "gty": "client-credentials",
  "azp": "[CLIENT_ID]"
}

What is wrong with the generated token? How can I create a valid token that will allow me to call apiClient.Clients.CreateAsync(clientRequest)?

oclipa · March 27, 2024, 3:47pm

Ah, OK, I’ve finally worked it out myself. I need to do the following:

Manually create a new Custom API (in addition to the default Auth0 Management API).
Enable the API Explorer for the default Auth0 Management API (this will create an API Explorer Application).
Ensure the API Explorer Application is authorized for Machine-to-Machine with Auth0 Management API.
Get the clientId and clientSecret for API Explorer Application, plus the Audience for the Auth0 Management API - these will be the values used to generate the token required to create a client.
Instantiate a new ManagementApiClient using the token and a Uri based on the Auth0 Management API Audience.
Submit a ClientCreateRequest, which will generate a new custom client application (note the new customClientId and customClientSecret)
Submit a ClientGrantCreateRequest, using the Audience of my Custom API, which will ensure that the new client application is authorized for my Custom API.

At the end of this, I now have a customClientId, customClientSecret and customApiAudience that can be used to generate tokens for accessing endpoints secured by my Custom API.

system · April 10, 2024, 3:47pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use the .NET SDK to get an access token for the management API? Help .net , management-api , access-token	3	5149	March 2, 2018
Custom API access Management API Help auth0 , api , management-api	4	4800	November 11, 2021
Access token for machine-to-machine API Help management-api , users	7	4663	November 29, 2022
Manage users with custom API Help	6	3353	May 16, 2020
Management API returns 401 Unauthorized (Invalid token) Help auth0 , management-api , login	3	6541	June 23, 2020

How do I create a token that will allow me to create a new client using the management API?

Related topics