I am using React.js and the @auth0/auth0-react SDK. I have a custom backend API. So my Auth0Provider component is configured with the audience of that custom API.
However i also want the user to able to update user’s own user_metadata using the Management API. I have created a page component to get input from user and update the user_metadata with that input. So I need to get an accessToken for the Management API, and this is where the issue occurs. If I try to use ‘getAccessTokenSilently’ it redirect me to a page because I have already signed in for the custom API and so all the progress is lost, another way is to use getAccessTokenWithPopup. This way react.js prompts a popup page, and gets the accessToken without any need of additional login. But this triggers another issue. Popups are not that eye-pleasing and often gets blocked by the browser. So i have to use silent method somehow.
You can specify a different audience with getAccessTokenSilently without being redirected to login, but you’d need to use a Custom Domain for this to work when third-party cookies are blocked.
The options available would be:
Proxy the Management API request in your own API - This is the recommended approach as it would allow you to implement your own business-specific data validation. It’s also not recommended to expose a Managment API Access Token in a public client that allows the user to update their metadata as explained in the docs:
Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata. This can allow users to manipulate their own metadata in a way that could be detrimental to the functioning of the applications. It also allows a customer to do a DoS attack against someone’s management API by just spamming it and hitting rate limits.
Use a Custom Domain so that silent authentication would not fail and you’d be able to receive an Access Token
By saying Proxy the Management API over your custom API , do you mean that I must create a machine-to-machine application, send a request to my custom API backend using frontend, process that request at the backend server and then create a request using machine-to-machine client? If that’s what you mean i thought about this but sadly there is very low machine-to-machine request limit for Free Tier if I’m not wrong. If you mean something else please explain this to me a bit or direct me to a docs resource.
Tokens requested for internal Auth0 API’s such as the Management API v2 (for example, when the audience is https://YOUR_DOMAIN/api/v2/) won’t count towards the M2M quota: