What audiences are needed to link users via access tokens?

The Management API has the option to link users by providing an access token for each user. However, it’s not clear to me what audiences and scopes those tokens need.

The documentation says the primary access token needs the update:current_user_identities scope, which implies to me that the primary access token must have the Management API as its audience (https://DOMAIN/api/v2/), is that right?

Does the audience of the secondary access token matter? Do the scopes?

In our application, the guest signs in with a database connection, then links with a passwordless user. The passwordless user should become the primary user. This is the workflow I’m trying to implement, but I get back Unauthorized when I try to link accounts:

  1. User signs in to our app with a database connection. The audience is our API, https://example.com. Our app gets the access token.

  2. User is sent back to the authorize endpoint to get an access token for their passwordless user for the Management API: /authorize?...&login_hint={email}&connection=email&audience=https://DOMAIN/api/v2/&scope=update:current_user_identities.

  3. We retrieve the access token from step 2 and make the following request:

POST /api/v2/users/PASSWORDLESS_USER_ID/identities
Authorization: Bearer {ACCESS TOKEN FROM STEP 2}
{
  "link_with": "ACCESS TOKEN FROM STEP 1"
}

When I make this request, Auth0 responds with 400 Bad Request with message “Invalid token (link_with).”

I thought maybe I needed a secondary access token with the Management API audience, so I try to do that but get “invalid_request : The specified redirect_uri ‘http://localhost:5173/sign-in/callback’ does not have a registered origin”, which I don’t quite understand because that URI is in my application as an allowed redirect URI.

I ended up opening a support ticket about this, and it turns out the token in the link_with property should be the ID token, not an access token.

When passing an access token as the Authorization header and an ID token as the link_with property, I can successfully link users together.

Hey @jennings glad you were able to get this sorted, and thanks a bunch for sharing the solution with the community! :pray:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.