Modify Scopes of Access Token for Auth0 Management API

Problem statement

Previously, rules were used to provide the right token scopes to users/admins according to their application roles. When looking to find similar functionality with Actions, it seems that it is not possible to add scopes to these tokens.

After testing this a bit further, the following error was returned when attempting to add scopes such as “read:users” or “create:user_tickets” from our SPA application:

Log warning : Attempting to add scopes to an access token for an internal audience: https://tenant.region.auth0.com/api/v2/. These scopes were ignored.

Is there a way to bypass this restriction for a SPA application?

Cause

The claims that are available for the Management API in a user-based flow are restricted due to the reduced security of SPA type applications and the increased likelihood of an access token being exposed:

https://auth0.com/docs/secure/tokens/access-tokens/get-management-api-tokens-for-single-page-applications

Actions have been developed to ignore scope modifications on access tokens with an audience of the Auth0 APIs to protect against workarounds to this intentional limitation, and it is not configurable at this time. Despite the inconvenience, this feature has been implemented for security.

Solution

The recommendation is to use the tenant member roles to limit a user to user management activities on the tenant Dashboard, for example, Dashboard Access by Role.

Another option to consider would be putting the responsibility of making actual calls to the Management API onto a secure backend M2M application so the Management API access token is not exposed to the SPA/browser and can also contain the scopes required. This backend can then allow authorized users of your SPA to initiate a limited set of API calls to the Management API via authenticated calls to your backend application.