I have to call the Management API from one of our services. The first question is, can we use password grant to get tokens for Management API?
Though I have been successful in authenticating and getting token back for Management API using password credentials, I have used the client id and client secret from a regular Web Application and not an M2M account. But when I try to get the access token with “read:users” scope using a username/password and client id/secret from the Web App, it throws User is not authorized to the audience for those scopes
I am not sure why is that. In the dashboard I can see that the Management API has the necessary access to the Web App and scopes under that.
Hello @shahzad.adil!
You can use password grant to get tokens for Management API ONLY from a highly-trusted application, that can not do redirects.
About:
Have you tried configuring the Application to be able to access the Management API scopes?
If you haven’t, you can try going to your Dashboard > APIs > Select the Management API > Machine to Machine Applications > look for the desired application and turn the toggle on > you will be able to select the needed scopes and update it.
Thank you!
Hey @karen.bermudez,
As stated above, I am able to get a token. And the Application is also authorized to access the API with all the necessary scopes.
But I am still facing this issue.
And how does Auth0 detect for the app being a highly-trusted application?
Hello!
Could you please send me a screenshot of your authorized application?
Thanks in advance!
@karen.bermudez Please find the screenshots below showing the UI App and the API with access to the app
Hello!
Are you still having this issue?
Thanks!
Please see my comment in this thread, it’s very similar:
But when I try to get the access token with “read:users” scope using a username/password and client id/secret from the Web App
Can you specify which grant type (Authorization Code Grant, Resource Owner Password Grant, etc.) you’re using?
If you’re not using Client Credentials Grant (M2M) but requesting it on behalf of a user, which I assume, the scopes you can request are limited, as per my linked thread above.