Auth0 Home Blog Docs

Possible to get IdP access token without server?

token
access-token
serverside
access
idp

#1

To get an IdP access token I have to call the Auth0 Management API’s Get Users by ID endpoint, with an access token that has read:user_idp_tokens scope.
I’m using the auth0.WebAuth.authorize() method to get the Auth0 Management API access token.
My problem is I never get back the ‘scope’ property in the issued id_token jwt, and therefore I’m not able to call the Get Users by ID endpoint.
Is that because I’m calling it form a client side JavaScript instead of a server side NodeJS code? (due security reasons?)
Is it possible to get an IdP access token purely from client JavaScript code, or there has to be a server involved as well?


#2

As you mentioned, in order to obtain IdP access tokens you need to go through the Management API and provide an access token with the appropriate scope read:user_idp_tokens. This scope (and almost all the others; there are a few exception for low-risk operation that are restricted to single users) is only granted when you perform a client credentials grant associated with the Management API and for a client that was explicitly allowed to request the scope.

The implication of the client credentials grant is that only software components that are able to maintain secrets can perform it which ends up restricting it mostly to server-side components like you mentioned because those can easily maintain the required secrets.

The recommendation would be for you to broker this access through a trusted server-side component. It’s pretty uncommon to have just browser-based code and in general there’s an associated API that goes along with every SPA. When available, this API would be the ideal method to broker the access to the IdP access token in a way that the SPA could benefit from their use without actually having to possess them directly.


#3

@jmangelo in the darkest corners of the docs it says its possible to use the Auth0.js: https://auth0.com/docs/connections/calling-an-external-idp-api#option-3-use-auth0-js

There’s a poorly documented ability for the user to call MGT API /api/v2/users/{ID} by a regular user if provide the ID token.

This seemed a lifesaver in certain use cases, but despite docs say “Extract the IdP’s access token from the response.”, there’s simply no access token field on the response (it is same as you get by calling /userinfo endpoint).

Is that even possible or are docs incorrect?


#4

@jmangelo in the darkest corners of the docs it says its possible to use the Auth0.js: https://auth0.com/docs/connections/calling-an-external-idp-api#option-3-use-auth0-js

There’s a poorly documented ability for the user to call MGT API /api/v2/users/{ID} by a regular user if provide the ID token.

This seemed a lifesaver in certain use cases, but despite docs say “Extract the IdP’s access token from the response.”, there’s simply no access token field on the response (it is same as you get by calling /userinfo endpoint).

Is that even possible or are docs incorrect?


#5

That section of the docs is incorrect and it will be updated/removed soon. In addition, I would personally recommend you to not depend on that poorly documented ability around ID tokens as it is something that will likely not be available in the future.


#6