I'd prefer it to return the user profile with the scopes `["openid", "name", "email"]` (as you'd get pinging the `/userinfo` endpoint).
Is this possible? Or do I just have to make another call to `/userinfo` after updating the user metadata?
When updating an user through the Management API using the /users endpoint, the response body should include the full JSON of their profile attributes as available in the Auth0 Dashboard:
If you would want to return the scopes of the user after updating their profile, as you have mentioned, I would recommend calling the /userinfo endpoint since that information is included in the access token and not inside the user attributes that are available from the identity stored.
Thanks Nik, that’s not what I’m seeing though. Perhaps it depends on if you’re doing it as an admin or a user? For example here is my logged in user’s access token (with the idToken extracted):
That’s probably the reason; I’m using the access token (it wasn’t so clear from the documentation what the difference is).
I’m assuming for a SPA app (I’m using Elm) the access token is more secure (for example putting in the scope update:users to generate an access token won’t give them access to this functionality).
Would you discourage using the management API on the frontend?
I would discourage the use of the management api on the frontend since it might make your application open to several security risks. However, you could use the access token in order to return scopes which would allow only specific users to perform specific actions, thus having your application use the stored API token to perform these actions on their behalf.
In our sample SPA applications, we usually have an API audience which is defined in order to perform M2M communication with the Management API to prevent such risks (like storing the your API token inside the application. I would highly recommend following such an approach.
Understood. Right now I’m only using access token with user_metadata and update:current_user_metadata (with Management API audience) so perhaps that’s all I’ll need — it seems pretty secure.
It does seem unsafe to store the Management API token in the SPA app. At least with the access token it’s only on the user’s browser and can only torpedo their own account if it gets hacked!
Could you point me to the bits of the SPA code you’re talking about?
Is the user ID ("sub") always completely random?
I can always admin the management API locally, and if (2) is true the likelyhood of a brute force attack seems quite small.
Could you point me to the bits of the SPA code you’re talking about?
In the case of the React sample application, the audience would be defined in an auth_config.json file where you would declare the values for the Auth0 Domain, Client ID and Audience. These values would then be used by the config.jsfile.
Is the user ID ("sub") always completely random?
The sub value inside the token is not completely random, that would be the user_id of the logged in user available within the Auth0 Dashboard. The user_id is composed of 2 parts:
Type of connection used (database connection/social connection type/enterprise connection type).
Generated user_id when the user first signed up to an application and registered inside the dashboard.
Great stuff, thanks. I’m seeing "sub" in both the JWT access token / /userinfo endpoint return value (it’s a bit confusing this user_id is labelled "sub". Understand the "sub" value isn’t always random, what I was asking is if the part of the user_id after the | pipe is random? I’m assuming the answer is yes.
Sorry if I was not clear enough above. The part after the |, specifically sub| would be the user_id under the Auth0 Dashboard, meaning that the value would be as following:
sub|{auth0_user_id}
In conclusion, that number is not automatically generated, it is the user_id available within the Dashboard. As you have mentioned, that value is also visible inside the user JSON under user_id, however it is translated to sub inside the token.
Basically, the user_id property is randomly generated in order to be unique within a tenant. A user may have the same user_id property across multiple Auth0 tenants, but consistency is not guaranteed.
Meaning that, as you have stated, the user_id generated on signup is random but guaranteed to be unique.