Improve Get Management API Access Tokens for Single-Page Applications #10239
Comments
|
I have to agree with this ticket, it is a bit of a maze to find the pertinent information and that page seems to be the main search result i kept hitting from google / stack overflow / forums / etc... It seems like this page has a good example of how to do this in the javascript api. I'm sure most of the other languages will work the same though. https://auth0.com/docs/libraries/auth0js#user-management It's also odd that doing this from an SPA is discouraged considering my project did not require any server-side modifications to get this working. Perhaps this page should provide instructions on how to lock down a project to prevent users from accessing these scopes, and/or how to enable the relevant scopes if we want to go against the reccomendations. Better yet how about just setup approriate DDoS protections for this scenario, so this use case can be part of the standard toolset instead of it being a potential vulnerability for anyone who doesn't get the configuration just right.
|
https://auth0.com/docs/secure/tokens/access-tokens/get-management-api-tokens-for-single-page-applications
Issues
In the instructions for Retrieve a Management API token it incorrectly links to Get Management API Access Tokens for Testing.
Given that you are linking to /api/v2/users/{id} the placeholder is id. The management api access token should be in the Authorization HTTP header using the Bearer authentication scheme.
Suggestion
Provide the audience for below - https://{tenant}.auth0.com/api/v2/ ( as mentioned https://auth0.com/docs/secure/tokens/access-tokens/get-access-tokens#control-access-token-audience )
Reiterate that ths scope needs to be requested.
Perhaps the scopes on the management api page should mention Scope for current user
The text was updated successfully, but these errors were encountered: