I’ve found a few inconsistencies with the current_user_device_credentials scopes that are available for SPAs using the Auth0 Management API directly (versus proxying through a backend).
The documentation here indicates that create:current_user_device_credentials
and delete:current_user_device_credentials
scopes are available for the current user, and I can confirm that I’ve been able to get an access_token including these scopes, using the auth0-spa-js SDK. However:
-
Missing
read:current_user_device_credentials
scope
The Management API docs for Retrieve device credentials indicate that there is also aread:current_user_device_credentials
scope that can be used for this API request. But when I request this scope, it is not returned in the access_token. -
delete:current_user_device_credentials
scope not accepted
Attempting to use this scope for Delete a device credential returns 403 with message: “Insufficient scope; expected: delete:device_credentials”. I’ve tried this both in Postman as well as the Management API Explorer. -
Create a device public key credential API endpoint not well documented
Does this API endpoint mirror what you would end up with after a successful user-initiated Device Authorization Grant flow?
Thanks for your help!
Nathan