Scopes/Permissions/Resource Servers API documentation - PATCH

subtlestag · September 2, 2021, 4:31pm

Hi,
I’d like to point out that the documentation for PATCH on the /api/v2/resource-servers/{id} endpoint requires further clarification.

As I’ve experienced, and as pointed out in this topic:

…it is very easy to miss the fact that PATCH will replace/overwrite ALL of the Resource Server’s scopes/permissions.

I had to spend the entire day setting up what was lost due to a single API request, which I thought would append a single Permission to an existing API.

I believe the documentation should either warn about this behavior in large, bold font, or the API behavior should be changed to what some might consider the “expected behavior”.

If PATCH’s behavior is as intended, maybe Auth0 should consider adding an API endpoint that only appends a permission/scope to an existing set of scopes for a certain API.

I find it a bit odd that I am required to first fetch all existing scopes, append my new scope to the list, and then issue a PATCH request.

Am I alone here? Doesn’t this seem like the more common scenario?

subtlestag · September 19, 2021, 11:30am

In case it helps anyone, here’s how I ended up doing it using a shell script:

gist.github.com

https://gist.github.com/topdodo/d95f788921e59fcd54f3862a13a5f3fc

auth0_add_scopes.sh

MGMT_API_ACCESS_TOKEN="<JWT>"

GET_SCOPES=$(curl -s \
    --header "authorization: Bearer ${MGMT_API_ACCESS_TOKEN}" \
    --header 'cache-control: no-cache' \
    "https://${MY_AUTH0_DOMAIN}/api/v2/resource-servers")

GET_SCOPES_BACKUP_FILE="api_scopes_backup_${MY_API_ID}_$(date +'%Y-%m-%d_%H-%M-%S').json"
echo "${GET_SCOPES}" > "${GET_SCOPES_BACKUP_FILE}"
SCOPES_COUNT=$(cat "${GET_SCOPES_BACKUP_FILE}" | jq length)

This file has been truncated. show original

Hopefully Auth0 will add an “append” method to the API in the future.