Thanks for answering!
In the meanwhile the things got a bit more clear for me and I hope I can explain better.
I’m using Auth0 from Elixir and this is why in my question I didn’t show any library calls, because it’s not a popular language and what matters in the end is the HTTP requests sent to Auth0.
What I need to do is to get the user roles from Auth0. I understand that I need to make a call to Auth0 Management API Get-user-roles with the token in the “Authentication” header as a “Bearer ”.
The problem is that when I do so I get a 403 Forbidden error with the message “Insufficient scope, expected any of: read:users,read:roles,read:role_members”. If I decode the token on jwt.io I see this:
{
"iss": "https://mytenant.eu.auth0.com/",
"sub": "auth0|66223049b368c7956fdfeabd",
"aud": [
"https://mytenant.eu.auth0.com/api/v2/",
"https://mytenant.eu.auth0.com/userinfo"
],
"iat": 1713786790,
"exp": 1713873190,
"scope": "openid profile email",
"azp": "S1MDQ0d0vXHNOspBV0LwUeYPWrQHUSV8"
}
…for which is pretty obvious that it doesn’t have the required scope.
If I look at the authentication call that was made to Auth0 and I see that the call is specifying the correct scopes:
https://mytenant.eu.auth0.com/authorize?
audience=https%3A%2F%2Fmytenant.eu.auth0.com%2Fapi%2Fv2%2F&
client_id=myclient_id&
redirect_uri=http%3A%2F%2Fmy_url.com%3A4000%2Fauth%2Fauth0%2Fcallback&
response_type=code&
scope=openid+profile+email+read%3Ausers+read%3Aroles+read%3Arole_members&
state=J2S_OE79vKpxAkGBz9M1oySI
Also, please note that I’ve give permissions for my application to call the management API with the scopes read:users,read:roles,read:role_members in Dashboard → Applications → APIs → Auth0 Management API → Settings → Machine to machine applications
And here is where I got blocked. What am I missing here? Why doesn’t the token contain the requested scopes?
Thanks,
ovidiu