Removing user_metadata without management api?

Greetings,

We have the following setup:

  • user registers on auth0 lock, with aditional user fields (country, city, etc).
  • when they login to our site, all the user_metadata is copied in the users profile on our website
  • the metadata is never used again

We would like to remove that user_metadata once it is coppied.
From my understanding, that is possible using the management api( which i manage to do).
But that api has full management access (i know, it is in the name :stuck_out_tongue: ).

Is there another way to remove the user_metadata without using management api with full rights?

Cheers

If you haven’t done so already you should go through (https://auth0.com/docs/tokens/management-api-access-tokens/get-management-api-tokens-for-single-page-applications) which described how to get Management API access tokens in the context of single-page applications.

This would be relevant because those access token are scoped in terms of what operations they can perform, in particular, they are scoped to only allow operations on the user that is currently logged in the app so this could be useful for your use case.

1 Like

Thank you. I will go through it again, and hopefully beter understand this time :smiley:

I know I am not good at this, but can someone please explain me how this works? I have reread over and over again, and I cant get it to work.

I have:

  • a single page app (the one used by the website) (REQUIRED)
  • a custom api (used by my backend server to communicate with auth0 and validate authentication) (REQUIRED)
  • a management api (used to do some auth0 mangement, but not from the front end ideally)(REQUIRED)

I also have two extra applications, do not really know where they come in:

  • api explorer application (m2m)
  • auth management api (m2m)

Now, i would like to be able to do some management, using the logged in user.

Can he use his already existing authentication token he get by authenticating?
If so, I understand some scopes are required (for example: read:user_idp_tokens and read:users, to allow to read his entire profile, and his profile only).

Where do I give every user those scopes automatically?

Once the user has those extra scopes, when comunicating with /api/v2/users, which application id is he suposed to use from all those mentioned above?

I am really lost here. I am sure it is easy for most people, but, yeah, I do not get it :smiley:

The scopes you mentioned, like read:users would require a client credentials flow (https://auth0.com/docs/flows/client-credentials-flow) in order to be able to obtain an access token with that scope. This is because that scope allows read access to all users; and as such a user authentication/access token will be unable to have it.

A scope that could be available in a user access token would be read:current_user or update:current_user_metadata. Those ones could be available in a user token and as such that user token would be suitable to call specific endpoints of the Management API and only in the scope of the user in question.

On the other hand, with client credentials (M2M application) which will need to be done from your backend you will be able to obtain broader scopes like read:users.

In conclusion, updating/managing user metadata can be achieved either through a Management API access token obtained in a user flow or in a client credentials flow.

1 Like