Management API access from server API using SPA JWT

Hi, I’m going crazy with this so any help much appreciated.

I’m trying to do something which feels like the most common thing that you could possibly do, and yet there is no example of doing this…

Here’s the scenario:

Stack

app.example.com => React SPA protected using Auth0
login.example.com => Auth0 Custom domain universal login page
app.example.com/api/v1 => Internal API: Node JS server api protected by JWT
login.example.com/api/v2 => Auth0 Management API

What I want to achieve

  1. User authenticates on login server and is redirected to the React app
  2. Now let’s say we want the user to update his own nickname. This requires privileges not accessible from an SPA, so enter the internal api.
  3. The react app now posts to something like /api/v1/update_nickname
  4. The Node JS server checks the Token passed in the header, and proceeds to make a call to the Management api and passes on the same JWT to login.example.com/api/v2/users/{user_id}
  5. The Node JS server passes back success or fail to the react app that made the call.

What is it that I’m misunderstanding considering the lack of examples covering this scenario? :slight_smile:

What audience do I need to pass when getting the user’s JWT silently in the react app? How can I control which APIs a certain user should have access to if I have multiple different internal api’s?

If the operation being performed through the Auth0 Management API requires scopes that cannot be granted through an end-user based flow (https://auth0.com/docs/tokens/management-api-access-tokens/get-management-api-tokens-for-single-page-applications#available-scopes-and-endpoints) what you would be missing is that in step 4 your backend after confirming that the call to its own endpoint is validated properly. For example, ensure the received token is valid and it is associated with the user for which the nickname is to be updated it would use a client credentials grant to obtain a Management API access token with scopes necessary to perform the operation (Get Management API Access Tokens for Production).

From the client credentials grant you would obtain an access token suitable to call Management API. In conclusion, what you are missing is the token used to call your own API will not be the one used to call Management API.

Ok got it. So essentially a machine to machine token access that my API receives and performs the action based on the “user” token’s user id etc?

I think could be worth explaining in the otherwise very good examples. Is this not a common use case? If so, what are people doing instead?

Yes, that machine to machine access token could/should be cached and reused by the backed to perform multiple operations even on different users because the backed itself would first validate through the user access token that it received that the operation is valid for a specific user. I don’t think there are other options besides the ones covered before so it may just be a case of docs focusing more on strict reference information in terms of how to do X at a lower level and not tackling the when to do X and when not to do X. The documentation is part of the product so feel free to leave any feedback through Auth0: Secure access for everyone. But not just anyone. as that is a direct channel to our product teams.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.