hannasm
commented
1 year ago I have to agree with this ticket, it is a bit of a maze to find the pertinent information and that page seems to be the main search result i kept hitting from google / stack overflow / forums / etc...
It seems like this page has a good example of how to do this in the javascript api. I'm sure most of the other languages will work the same though. https://auth0.com/docs/libraries/auth0js#user-management
It's also odd that doing this from an SPA is discouraged considering my project did not require any server-side modifications to get this working. Perhaps this page should provide instructions on how to lock down a project to prevent users from accessing these scopes, and/or how to enable the relevant scopes if we want to go against the reccomendations.
Better yet how about just setup approriate DDoS protections for this scenario, so this use case can be part of the standard toolset instead of it being a potential vulnerability for anyone who doesn't get the configuration just right.
Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata. This can allow users to manipulate their own metadata in a way that could be detrimental to the functioning of the applications. It also allows a customer to do a DoS attack against someone's management API by just spamming it and hitting rate limits.
https://auth0.com/docs/secure/tokens/access-tokens/get-management-api-tokens-for-single-page-applications
Issues
In the instructions for Retrieve a Management API token it incorrectly links to Get Management API Access Tokens for Testing.
Given that you are linking to /api/v2/users/{id} the placeholder is id. The management api access token should be in the Authorization HTTP header using the Bearer authentication scheme.
Suggestion
Provide the audience for below - https://{tenant}.auth0.com/api/v2/ ( as mentioned https://auth0.com/docs/secure/tokens/access-tokens/get-access-tokens#control-access-token-audience ) Reiterate that ths scope needs to be requested.
Perhaps the scopes on the management api page should mention Scope for current user