We want to perform user management and CRUD operations from our admin section which in turn needs to communicate with the Auth0 Management API.
We don’t to see a way or example where we can use the same token received after authentication/login for Management API calls, is there a way that we don’t have to request and utilise a second token?
If I remember correctly, a user within your Auth0 tenant does not have and cannot get the privileges required to perform CRUD operations on other users within your tenant. For that level of access I believe your app must use the client credentials grant flow. You could perhaps combine the auth code grant flow with client credentials:
User logs in via authorization code grant flow,
If authentication is successful, you app checks to see if the user is authorized to perform CRUD operations,
If the user is authorized, then use client credentials grant flow for the CRUD operations.
Step 2 could be based on a role or group parameter in the user’s app_metadata.
After investigating what @markd posted, we decided to keep Auth0 only for authentication and manage the authorization on our own platform utilizing asp.net identity (roles & claims). This way we have flexibility without having to upgrade our licence for m2m to do direct crud from our api.