I can't update user email or any other information

Hello,

I’m developing a React app (single page app) in which a user has the option of updating its email/password/profile picture. The user makes the request via a form which is later sent to my backend via an API call alongside the access token, so it can be processed. The problem is that when I retrieve the access token in the frontend, the scopes I have selected (openid profile email update:users create:users delete:users create:current_user_metadata update:current_user_metadata read:current_user update:current_user_metadata) aren’t there, only “openid profile email create:current_user_metadata update:current_user_metadata read:current_user” are returned. When I call the auth0 management API with
await fetch('https://{tenant_name}.eu.auth0.com/api/v2/users/' + user_id, { method: 'PATCH', headers: {authorization: token, 'content-type': 'application/json'}, data: {"connection": "Username-Password-Authentication"}, body: JSON.stringify({email: new_email}) }).then( response => response.json() ).then( success => res.status(200).send({message: "Email has been changed!"}) ).catch( error => res.status(500).send(error) ); I get an error message saying I need update:user scope.

I have two apps in my Auth0 dashboard, my main Single Page App for the React app and a machine-to-machine app that has the permissions I need from the management API. I’ve tried using the machine-to-machine’s client ID but, obviously. Is there something I’m missing that doesn’t allow me to get the scopes I need?

Thank you beforehand!

Hi @MarkelAlvarez,

Welcome to the Auth0 Community!

I understand that you encountered an error message indicating that the authorization token is missing the update:users scope.

To fix this issue, could you please try including the update:users scope in your authorization request?

For example:

const accessToken = await getAccessTokenSilently({
  audience: `https://${domain}/api/v2/`,
  scope: "update:users",
});

Please let me know if this resolves the issue.

Thank you.

Hi @rueben.tiow !

I’ve tried including the scopes I need for this and other API calls on the Auth0Provider (as you can see below) as well as in the getAccessTokenSilently() call but the token doesn’t include them.

<Auth0Provider
	domain={domain}
	clientId={clientId}
	redirectUri={window.location.origin}
	onRedirectCallback={onRedirectCallback}
	audience={audience}
	scope={"openid profile email create:users update:users read:users delete:users update:current_user read:current_user delete:current_user"}
>
	{children}
</Auth0Provider>

The returned token only includes the following scopes: "scope": "openid profile email read:current_user".

Can the origin of the problem come from a misconfiguration of the Management API?

Thank you!