For some parts of our application I’d like to display a list of users which may or may not include the current logged-in user (think e.g. a team list). I would like to also grab Auth0’s avatars for this list of users to be able to display them on the front-end. What’s the recommended way of doing this?
I know that Auth0 offers a Management API that I can use to grab a wide swath of information about users, but it looks like I’d have to write a custom Javascript rule to restrict scopes and the information that’s sent back so that an untrusted front-end can’t grab anything unrelated to an avatar about a user. That’s a bit undesirable for me because then I have some important-ish security logic sitting in a random snippet of Javascript in a rule.
I’m also not sure whether the Management API is meant to be used this way (i.e. as a bulk data retrieval point by untrusted front-ends). The whole way that tokens are retrieved and used leads me to suspect that the Management API is never meant to be directly hit by an end-user front-end.
Is there a better way of doing this?