User authenticates on login server and is redirected to the React app
Now let’s say we want the user to update his own nickname. This requires privileges not accessible from an SPA, so enter the internal api.
The react app now posts to something like /api/v1/update_nickname
The Node JS server checks the Token passed in the header, and proceeds to make a call to the Management api and passes on the same JWT to login.example.com/api/v2/users/{user_id}
The Node JS server passes back success or fail to the react app that made the call.
What is it that I’m misunderstanding considering the lack of examples covering this scenario?
What audience do I need to pass when getting the user’s JWT silently in the react app? How can I control which APIs a certain user should have access to if I have multiple different internal api’s?
From the client credentials grant you would obtain an access token suitable to call Management API. In conclusion, what you are missing is the token used to call your own API will not be the one used to call Management API.
Yes, that machine to machine access token could/should be cached and reused by the backed to perform multiple operations even on different users because the backed itself would first validate through the user access token that it received that the operation is valid for a specific user. I don’t think there are other options besides the ones covered before so it may just be a case of docs focusing more on strict reference information in terms of how to do X at a lower level and not tackling the when to do X and when not to do X. The documentation is part of the product so feel free to leave any feedback through Auth0: Secure access for everyone. But not just anyone. as that is a direct channel to our product teams.