tyf
July 7, 2023, 11:38pm
3
Hello @Xepobopa welcome to the community!
A Management API Access Token () obtained by the SPA is limited in the scopes it can have - Instead, you’ll need to utilize a backend of sorts to get and use a properly scoped access token. The following article outlines this flow:
Question: How can I enable users to change their email address from a SPA or native app?
Answer:
Public clients (like SPAs and native applications) are restricted from requesting tokens for the management API with the proper scopes for updating a user’s email. These types of applications are limited to a few specific scopes . Because of these limitations, email change requests from public clients must flow through a backend or proxy API. This could be a serverless function with the sole purpose…
Alternatively (and easiest route), you can add a user’s roles as a claim to an Access Token and get them that way:
Problem statement
Is it possible to retrieve the user’s Roles and/or Permissions and include them in the JWT Token?
Solution
Yes, it’s possible to retrieve the user’s Roles and/or Permissions and append them to either the ID Token or Access Token. To do so, you must use a Post-Login Action script.
1.1 Roles
When adding the user’s Roles to the token, call the event.authorization.roles property and add it as a custom claim to the Token. Please see here on creating namespaced custom claims. Be…
Hope this helps!
1 Like