User Profile Management with React SDK

Hi there,

I’m still very new to Auth0, so bear with me.

I’m building a React app and am using Auth0 for authentication and user management. So far, I’ve gotten login and logout working, with both database and Google authentication, and it’s been incredibly painless.

The next step is profile management. Specifically I want to be able to:

  • Allow the user to see and update their user profile - their name at the very least
  • Allow the user to change their password, if they are a database account

And this is where I’m struggling. I’ve worked out exactly how to do all of this using the Management API directly - both via direct HTTP calls and using auth0-js, but in order to do that I need appropriate tokens. And in order to get those tokens, I need a client secret. And I’m not about to put that into the JavaScript!

I’m using @auth0/auth0-react 1.2.0, and there are calls on there for getAccessTokenSilently and getIdTokenClaims. However, neither of the values returned from there are working as a token when passed to the Management API.

Is there a way that I can use @auth0/auth0-react to log in, and then access and update the full user profile of the user that has just logged in?


Further notes. If I use the result of getAccessTokenSilently when making manual calls using httpie then I get an error of:

    "error": "Forbidden",
    "errorCode": "insufficient_scope",
    "message": "Insufficient scope, expected any of: read:users,read:current_user,read:user_idp_tokens",
    "statusCode": 403

And I get this even if I request the scopes in getAccessTokenSilently, Auth0Provider or both.

If I use the ID Token returned from getIdTokenClaims then I instead get an error of:

    "attributes": {
        "error": "Invalid token"
    "error": "Unauthorized",
    "message": "Invalid token",
    "statusCode": 401

Which is fair enough, since an ID Token isn’t an Access Token and shouldn’t really be used as such.

So I think if there was a way of getting the Access Token with the correct scopes from getAccessTokenSilently - or even better, from already having it from logging in! - then things would start to work.