Problem statement
We noticed that a tenant log for a mgmt_api_read GET Clients
is not associated with any user/application/user agent, such as:
{
"date": "2022-12-05T20:18:14.990Z",
"type": "mgmt_api_read",
"description": "Get clients",
"client_name": "",
"ip": "52.43.154.207",
"details": {
"accessedSecrets": [
"client_secret"
],
"request": {
"method": "get",
"path": "/api/v2/clients",
"query": {
"per_page": 100,
"page": 0,
"fields": "name,tenant,client_id,client_secret,callbacks,global,app_type,callbacks,web_origins,allowed_logout_urls"
},
"channel": "api",
"ip": "52.43.154.207",
"auth": {
"user": {},
"strategy": "jwt",
"credentials": {}
}
},
"response": {
"statusCode": 200,
...
"user_agent": "Other 0.0.0 / Other 0.0.0",
}
We want to know how it was triggered.
Cause
These Get Clients
management API calls are done by Auth0 docs. For instance, Auth0 Quickstarts have a feature that automatically populates client ID and other attributes on the code samples and management API read calls are used for it.
You can reproduce this by navigating to any of our Quickstarts documentation, such as Auth0 React SDK Quickstarts: Add Login to your React App, and then you can find such tenant logs.