The Management API has the option to link users by providing an access token for each user. However, it’s not clear to me what audiences and scopes those tokens need.
The documentation says the primary access token needs the update:current_user_identities scope, which implies to me that the primary access token must have the Management API as its audience (https://DOMAIN/api/v2/), is that right?
Does the audience of the secondary access token matter? Do the scopes?
In our application, the guest signs in with a database connection, then links with a passwordless user. The passwordless user should become the primary user. This is the workflow I’m trying to implement, but I get back Unauthorized when I try to link accounts:
-
User signs in to our app with a database connection. The audience is our API,
https://example.com. Our app gets the access token. -
User is sent back to the authorize endpoint to get an access token for their passwordless user for the Management API:
/authorize?...&login_hint={email}&connection=email&audience=https://DOMAIN/api/v2/&scope=update:current_user_identities. -
We retrieve the access token from step 2 and make the following request:
POST /api/v2/users/PASSWORDLESS_USER_ID/identities
Authorization: Bearer {ACCESS TOKEN FROM STEP 2}
{
"link_with": "ACCESS TOKEN FROM STEP 1"
}
When I make this request, Auth0 responds with 400 Bad Request with message “Invalid token (link_with).”
I thought maybe I needed a secondary access token with the Management API audience, so I try to do that but get “invalid_request : The specified redirect_uri ‘http://localhost:5173/sign-in/callback’ does not have a registered origin”, which I don’t quite understand because that URI is in my application as an allowed redirect URI.
