Auth0 Home Blog Docs

Unable to set create:users and read:users scopes using iOS SDK

Hi there. I’m having the same issue as this topic, however that topic was closed and the solution provided there doesn’t really seem to solve this issue. Like in that issue, I’m trying to set the scope read:users but I’m also trying to set create:users. I’ve checked that my audience is correct for my domain, i.e. using https://YOUR_AUTH0_DOMAIN/api/v2/. Also I’m looked over the example of making a patch in iOS and found that trying to add the scope I need fails even in that project, so there must be something else that I’m missing entirely for these particular scopes.

My code is:

Auth0
        .webAuth()
        .scope("openid profile offline_access read:current_user read:users create:users")
        .audience("https://" + clientInfo.domain + "/api/v2/")
        .start {

The scopes that are set from this call are everything except for the read:users and create:users scopes. Adding/removing any of the other scopes updates the scopes set appropriately, so I’m guessing there’s something special needed to set the read:users and create:users scopes?

To show you, even the sample project doesn’t add the scopes when I modify it like this:

Auth0
        .webAuth()
        .scope("openid profile offline_access read:current_user update:current_user_metadata read:users create:users")
        .audience("https://" + clientInfo.domain + "/api/v2/")
        .start {

I’m noticing the same thing as in my project code above. All of the other scopes are set except for create:users and read:users, so this isn’t just an issue with my project. Any help would be greatly appreciated!

Hi @scout208,

It sounds like this is in regards to the Management API not the Authentication API. Is this correct?

If so, it is likely because you are limited in scope when using a native app, as the token could easily be extracted and used to make read and create calls to your entire user database. At least I think this is the case. I know that is how it is set up for SPAs, which have the same situation.

Thanks,
Dan

Yeah I guess this is in regards to the Mangement API. I just included it in this topic because that is where the other issue I saw was located and mine was very similar.

So I guess this is a security feature that doesn’t grant a native app these scopes? I switched over to just returning the scopes I needed in rules (based on user role) since I couldn’t get this to work, which I guess is a safer option anyways.

1 Like

Okay then that should be the problem. Yeah, it is because the token could easily be used to read and update any user a malicious party wanted. I know it can complicate how a user updates their data, but at this time there is just no way to secure a management api token in a native app or SPA.

Let us know if there is anything else we can do to help!

Thanks,
Dan

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.