It appears our users can login to the out-the-box “Auth0 Management API” with the following scopes:
read:current_user update:current_user_identities update:current_user_metadata create:current_user_metadata delete:current_user_metadata create:current_user_device_credentials delete:current_user_device_credentials
Where is this defined and how can we stop them from doing so; it’s a constant mind exercise when considering the security of our application because we have to consider “What if the user changed their metadata or linked their accounts etc. without going through our API”.
TBH, I really struggle to understand the concept of the “Auth0 Management API” and why it sits alongside our own API; i.e. if we want a user to update their name, we want to go via our API which, chances are, would then authenticate and authorise the API call, apply our own business logic and subsequently call into the Auth0 Management API (with full admin permissions).
This pattern is the same as any other third party API (and even our own DB), e.g. if a user wants to update their payment methods in Stripe, they wouldn’t be issued an access token for the Stripe API, but rather they’d go via our API and again, we’d authenticate and authorise the API call, apply our own business logic and then call into Stripe with full admin permissions.
Not sure if somebody can perhaps shed some light on this?