Using implicit grant with the Auth0 Management API

I’m currently building a SPA with Ember.js and using Auth0 to handle user authentication.

One important feature for my app is that the user should be able to create, delete and update users directly from the app - not using the Auth0 dashboard (only the developers have access to the Auth0 account)

This article (The Auth0 Management APIv2 Token) describes how to get a token automatically with a Non-Interactive client using the Client Credentials grant, and involves passing your client_secret in order to retrieve an access token.

The problem is - I’m using a Javascript front-end framework and the client_secret can be viewed in the source code, by anyone visiting the app and clicking “show source”.

After some research, I found that SPAs are supposed to use the Implicit Grant flow to request an access token from an API - this would be a perfect solution, but it looks like I can’t use the Implicit Grant flow with the Auth0 management API.

So my question is: Can I use an Implicit Grant flow to get an access token from the Auth0 Management API?

If not, can I continue to use the Client Credentials exchange, as stated in the documentation, but somehow obscure the client_secret value in my front-end code?

I don’t want to have to write an API or write server-side code just to get an access token, unless there’s no other option.

I’m asking because I really can’t be the first person to run into this issue, and yet I’ve found no information on the topic, either here on the forums or in the Auth0 documentation articles.

Thanks in advance for any help or advice you can provide!

:wave: @ouairz

You are correct that you should not be getting a access token for the management API with the implicit grant flow. Only authorized non interactive clients should get it, and this request should be done on the backend (and not be done directly in an SPA). Your non interactive clients and the Management API v2 token need be as secured as possible. I know you specified you did not want to have to write an API or server-side code to accomplish this, but this would be the recommended approach to take.

Hi Kim,

Thank you for taking the time to answer. It’s true that server-side code is always more secure. I was just hoping for an easier approach, which would have been using the implicit flow grant.

I don’t see any way to accept your answer, but you can close this issue. Thanks again!

1 Like

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.