Using Management API from a Login of a SPA

I am trying to get user metadata for a logged in user. Given that the login gives me an access token and not an id token. So I can’t add the user metadata that way and there does not seem to be a way to extend the information that is returned on the /userinfo API. I figure the only way to get the user metadata would be for the user to be able to user the Management API. So I attempted to user the access token to access the Management API and that is a no go. I am using the Auth0Client to do the login and get the access token and user information.

If I am missing something, please tell me.

Note: This is a SPA on a static website using HTML and Javascript (Node is not being used)

Hi @pfranz,

Welcome to the Community!

Your app should be issued an ID Token, but the user metadata is not included in ID Tokens by default (Sample ID Token). If you are using auth0-spa-js, when you use const user = await auth0.getUser();, the user’s information is retrieved by decoding the ID Token.

If you only need the user to view their metadata, then you can extend the ID Token by adding a custom claim:
https://auth0.com/docs/scopes/sample-use-cases-scopes-and-claims#add-custom-claims-to-a-token

If you need to allow the user to not only read, but also make persistent updates to their metadata, then you can do so by requesting the update:current_user_metadata and read:current_user when you initiate the Auth0Client. Also, the audience config should be https://your-auth0-tenant-domain/api/v2.

Here are the docs for using the Management API in a SPA:

Please consider the warning about updating metadata from a SPA:

Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata. This can allow users to manipulate their own metadata in a way that could be detrimental to the functioning of the applications. It also allows a customer to do a DoS attack against someone’s management API by just spamming it and hitting rate limits.

Ok. I see what the issue was. The name space custom claims requires that you specify a name space. That is that even if the new attribute will not collide with other attributes a name space is required for it to be added to the id token.

The attribute is a read-only attribute which is a copy of an app metadata attribute that is copied via Login Custom Action.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.