I have some node.js scripts which people run locally to do various things. I’d like to be able to used the ManagementClient in the auth0 module to allow people, who are auth0 admins` to be able to login in and search for users by email.
I don’t want to hand out application client secrets and secret IDs and let the users log in instead. Is that possible?
Hey there @piers, I may not be following along with your desired result so please correct me if I am mistaken. You are wanting your Auth0 admins to be able to login and search for users by email but I don’t understand the desired result with the ManagementClient. Can you please explain a little bit more of what you would like to see happen so we can better assist? If your Auth0 Admins already have access to the tenants they should be able to login and search your username database for the applicable information. Thanks and sorry for any confusion!
but I don’t understand the desired result with the ManagementClient .
I want them to be able to do this via an internal CLI tool.
Can you please explain a little bit more of what you would like to see happen so we can better assist?
For sure.
We have an off-shore support team for whom communication is difficult because they’re 12-hours difference from us and we work opposite hours. There for I want to give them a tool (script or CLI. Something lightweight, not a full blown web UI) which they can use to do things like add users, get lists of users etc. I can do it right now if I ship the ManagementClient with a client secret but I’d rather not. I’d rather a password grant. Is that possible?
Hi there @piers, after following up with our support team, I was able to confirm you can create the token with the audience set to V2, which will generate an access token that can be consumed via the API itself. This would generate a popup but overall should be what you are looking to do. We don’t have an option that would be fully emedded within an CLI tool. This would be considered machine to machine communication in the event you leveraged a grant. However this could turn into a costly solution as it ticks per authentication (which you only have a 1000 of on the free tier) vs an web UI solution that would be per user (A more cost effective option for a free tier customer). Please let me know if you have any additional questions.
This repo, which implements the authorization code grant with PKCE, might be helpful / relevant. I’ve written a lot of CLI stuff always use client credentials, but I was interested in the same use case (individual user logins when using my CLI tools, the way the AWS / GCP / heroku CLI tools work). After discussing this with Auth0 Professional Services, they built this solution for me.
Another solution which Auth0 ProSvcs suggested was to continue using Client Credentials, but create one client for every CLI user. That way you at least know who is doing what (where a single client would hide the user running the CLI).