However, I read that this shouldn’t be done on the frontend because of the client secret. So what I have done is that when a user clicks a button, axios sends a get request to my backend server. Then, the server initiates the POST request as detailed in the docs above.
I’m not sure if this is the right way to do this, but I don’t think it is. It is currently giving me a 401 unauthorized error. However, when I test this request on postman, it works fine. So I’m guessing I’m doing the request in the wrong “environment”.
Is axios supposed to be used on the backend? And it seems sort of repetitive that I have to do two requests to get one response.
I assume you are implementing a SPA. The best solution for you will depend on what you want to achieve because Management API Tokens for SPAs have certain limitations. Specifically, they are issued in the context of the user who is currently signed in to Auth0 which limits updates to only the logged-in user’s data. Although this restricts the use of the Management API, it can still be used to perform actions related to updating the logged-in user’s user profile.
Important: Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata.
Now, if you want to issue non-restricted Access Tokens because your use case requires it, the only secure solution would be to request them from a backend, so from what I understood you are in the right path. This means following Get Management API Access Tokens for Production from your backend.
Hi Ale, thank you for your help. Now that you bring it up, what use cases should I use a non-restricted Access Tokens for the management API?
For most of my use cases, I would like to update user_metadata and app_metadata, and give certain permissions to people based on their roles. However, only I would be setting up these permissions, roles, etc. during development. The main things the user themselves can do is just editing their profile, creating new posts. Do you think I only need the tokens for SPAs then?
With a non-restricted Access Token issued for the Management API, you could do many more things that would not be related to the logged-in current user. Think about it as being able to act just as the logged-in user (SPA Access Token) vs being able to act as the admin of your tenant.
Some examples of things you could do with a non-restricted Access Token would be to edit other users’ profiles or just edit any other data that are not related to users such as clients, connections, or maybe search logs… the possibilities are almost endless in the sense that you would have tenant-admin powers if you wanted to.
For the most part, yes. Everything that involves editing the currently logged-in users, yes, it should be doable. However, you’ve mentioned permissions, roles, etc. This is something that can be implemented in many different ways, including Auth0 ways such as Authorization Core vs. Authorization Extension and it could also be implemented externally, for example by leveraging user metadata to store those permissions and roles. In a nutshell, if the logged-in users only need to view and/or edit their current profile, then yes, Access Tokens issued for SPA would do the job.
Thanks again for the help. With a non-restricted access token, I would be able to act as the admin of my application essentially, from what I understand. Then what is the advantage of using the management API vs just using the auth0 dashboard to edit these things? Is it that it gives me a way as an “employee” to manage users directly from my application, instead of using the dashboard? Or are there are use cases?
In this cases, I will use the SPA tokens then. To edit permissions and roles, then how do I use the authorization core? Have I not been using it already with the auth0 dashboard and such, or is that something completely different?
The Dashboard is a visual UI that is easier and sometimes quicker to use than the Management API. You can use the Management API from inside your application or from any other place such as a UNIX shell, a HTTP client or any other script or app. It gives you huge flexibility on how you want to manage your tenant and the data it contains.There are too many potential use cases for me to describe them all, from developing your own custom Auth0 Dashboard to provide users with administrative access or certain permissions (defined by the scopes that you can assign to the Access Tokens they could use).
As I mentioned in my previous response, there are several ways to implement roles and permissions. Currently, Authorization Core is not something that can be managed with a restricted SPA Access Token. If you take a look at Assign Roles to Users via Management API, you will notice that the Management API Access Token requires the scopes read:roles and update:users. We don’t have those scopesin a restricted SPA Management API Access Token as documented on Get Management API Access Tokens for Single-Page Applications.
If you really want to use Authorization Core and handle it via Management API, then you would need to call our Management API from your backend so you can have any scope you need without the restrictions that a SPA application imposes.
Thanks for the help. It seems that the easiest to assign permissions and roles is through the dashboard then? I don’t think I need to do any of the use cases you outlined above with the Management API. The extra scopes not offered by the SPA tokens, such as update:users, or read:roles, I can probably do through the dashboard?
Also, I have visited the page “get management API tokens for SPA” many times, but it only offers ways to do so manually and for testing. How do I get tokens automatically? Do I use the react SDK and getAccessTokensSilently() function? Thanks!