Update 02-calling-an-api.md to explain consent

[bitshiftnetau]

There is currently no mention of why consent is required and following this example app only leads to confusion. It took WAY to long to find that the management API requires consent regardless of anything and/or why/when consent is explicitly necessary when using a SPA. These instructions seem to reflect a 3rd party app, rather than a first party app.

[bitshiftnetau]

On second thoughts, it might be better to remove the use of the Management API altogether for demo purposes and instead use "https://[your_account].auth0.com/userinfo" as audience.

Please comment and I can amend the entire document and pull request to reflect if required. Happy to leave it to you if you wish to review the document further internally.

[stevehobbsdev]

Thanks for raising this @bitshiftnetau.

the management API requires consent regardless of anything

When you saw consent being asked for, were you running on localhost at the time? On localhost consent is always asked for if needed, rather than being skipped for first-party apps. Here's more detail on when consent can be skipped. So it's less to do with it being the management API and more about the environment.

Either way, it sounds like we can provide more information here. We can review the rest of the doc for improvements.

[bitshiftnetau]

Hi @stevehobbsdev! Thanks for the response.

Yes indeedy I was running that bad boii in test. Oh ok, that actually sounds very reasonable for security.

Awesome thanks for taking on the suggestion.

[Widcket]

Closing due to inactivity, please feel free to comment if you'd prefer to reopen.