Management API Client Grants Only allow current user to update themselves

SPA + Rails api, I have a front end that allows users to update their own profile information using the management api. when i first set it up I was getting failures from auth0, then i added the grants read:client_grants and read:users now it seems to work. I only want the current user to update their own information. Given I am using pundit id like to use that for authorization but I still want the request to work with auth0.

Thanks

Hi @scott.stern06,

One important thing to remember about SPAs is that they live on the client and can be inspected by any user that has access. Because of that, they are quite limited in what scopes they should receive, as anyone who gets that token can access your management API and all scopes that the token contains.

Users should be able to update their user_metadata. This information is typically used for things like address, or other user-controlled data. If you want to change something like a user role, or something you don’t want the user to have access to that will have to be done via your backend.

Let me know if I missed anything,

Thanks,
Dan

Thannks @dan.woda!

This partially answers my question.

Let me be a little bit more clear, in my Auth0 Management Api dashboard there are client grant permissions you can set, ie read:users, update:users etc. I ONLY want the user in my application to be able to update THEIR own data, which i would expect a client_grant of update:current_user but i do not.

To guard against having users able to update other users by giving them blanket access to read:users or update:users, does auth0 support a current_user functionality.

Also, tangentially related SPA + Rails API passing auth0_id from front end to back - Best Practice

thank you

@scott.stern06,

Sorry for the delayed response. This one took some testing to make sure everything was working correctly (it is :slight_smile: ), and there are some confusing elements that don’t help.

Here are the details, please let me know if I miss something:

  • SPAs can’t request any of the normal scopes that are listed in the auth0 managment dashboard under management API. And they don’t even show up under machine-to-machine applications in the Management API settings.
  • They have a limited set of scopes they can request, and are listed here (the doc in the FAQ mentioned above).
  • These limited scopes do what you are requesting; limit the user to be able to only edit their non-auth related data.
  • SPAs and their limited scopes aren’t displayed in dashboard (which can be confusing) but they are automatically limited. Here is the line from the dash:

    Single Page and Native apps do not require further configuration. SPAs can execute the Implicit Grant to access APIs while Native Apps can do Authorize Code with PKCE for the same purpose.

In conclusion, you shouldn’t need to configure anything, because apps using the implicit flow or auth code w/ PKCE flow will be limited to the current_user scopes by default. For the exact reason you are mentioning.

Thanks,
Dan