Management API not working from SPA

I’m trying to update user information in a Vue app to enable the user to edit their profile.
After getting a token with the correct audience and scopes I still get a 400 Bad HTTP authentication header format error.

       var auth0Authentication = new auth0.Authentication({
          domain: options.domain,
          clientID: options.clientId,
        })

        return auth0Authentication.login({
          realm: 'Username-Password-Authentication',
          username: username,
          password: password,
          audience: 'https://' + options.domain + '/api/v2/',
        }, async (err, authResult) => {
          if (err) {
            this.error = err
            this.loading = false
            cb(err)
          } else {
            console.log('authResult', authResult)

            var decodedAccessToken = jwtDecode(authResult.accessToken)
            console.log('decodedAccessToken', decodedAccessToken)

            var auth0Management = new auth0.Management({
              domain: options.domain,
              token: decodedAccessToken.azp,
            })

            auth0Management.getUser(decodedAccessToken.sub, (err, user) => {
              console.log('err', err) // This is where I get an error
              console.log('user', user)
            })

            cb(true)
          }
        })

Hi @mjanowski,

Welcome to the Auth0 Community!

It looks like he might be running into a couple of issues here.

• SPAs are limited in what scopes they can request for management API tokens.
• you are only passing the decodedAccessToken.azp claim to the management API client, when you should be passing the original Access Token i.e. authResult.accessToken

Hi @dan.woda,

I think I did try using authResult.accessToken first but the idToken was missing from the response which led me to start trying other things.

I have since added these scopes: scope: 'openid profile email address phone read:current_user update:current_user_metadata' and now I get both the idToken and accessToken with the right permissions so it’s working!

One thing I would like, which seems to not be possible currently is to be able to update user fields like name, given_name and family_name using patchUserAttributes(). I’ve got around that by setting metadata and using a rule to populate those fields but that is not an ideal solution.

You are not able to update those attributes from a SPA. This is because a token with those permissions, on the client, could be grabbed by the user and used to update those attributes without you (the admin) knowing.

You must make requests to update the user’s core attributes from a secure client like a backend or API.

But for some apps it makes sense for users to be able to update their own information. In my case I want the users to be able to edit their profile (names etc.) and I don’t want to have to build a backend for that.

Thanks for the added context. Currently, you will need to make that request from a secure backend.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.