I am attepting to show a list of users in the react app.
When attempting to access the manage api with api/v2/users/ i get:
{"statusCode":403,"error":"Forbidden","message":"Insufficient scope, expected any of: read:users,read:user_idp_tokens","errorCode":"insufficient_scope"}
But when I get the token for the api, I pass in the scope like so:
getTokenWithPopup({ scope: ‘read:users’ })
It doesn’t seem to care about the scope ? it doesn’t seem to pop up at all with the confirmation dialogue. Am I setting the scope for the management api in the wrong place?
Most operations available in the Management API are meant to only be called from back-end application because most of the endpoints allow for operation that you would not want a regular end-user to perform.
Due to the above, the approach to get an access token for the Management API and include those scopes is to perform a client credentials grant (Get Management API Access Tokens for Production).
The client credentials grant is available only for confidential clients as those are able to maintain a secret and authenticate themselves in the token endpoint.
In conclusion, a React application (browser-based application so it’s considered a public client application) cannot perform a client credentials grant and as such won’t also be able to obtain a token with a scope such as read:users.
If you want to provide access to some of the features exposed by Management API to a subset of your end-users then you’ll need to have your own backend in the middle so the React application calls your backed which authorizes the call in order to guarantee it comes from an authorized user and then the backend call Management API.