node-auth0 icon indicating copy to clipboard operation
node-auth0 copied to clipboard

Published 20 hours ago verified publisher icon auth0

getClient method is unusable as documented

Open WolbachAuth0 opened this issue 3 years ago • 2 comments

TL:DR - the getClient endpoint expects management api scope which are not grantable. And the 'getClient' method of this library doesn't permit me to ask for fewer fields which would require less scope.

Describe the problem

Consider the following


// initialize a management API client to my tenant
const options = {
      domain: process.env.AUTH0_DOMAIN,
      clientId: process.env.AUTH0_API_ID,
      clientSecret: process.env.AUTH0_API_CLIENT_SECRET,
      audience: `https://${process.env.AUTH0_DOMAIN}/api/v2/`,
      scope: 'read:clients read:client_keys read:client_credentials read:client_summary'
}
const ManagementClient = require('auth0').ManagementClient
const management = new ManagementClient(options)

// try to call the "getClient" endpoint
const client_id = '<my-applications-client-id>'
try {
    const data = await management.clients.get({ client_id })
    console.log(data)
} catch (error) {
    console.log(error.message)
}

This snippet results in the error access_denied Client has not been granted scopes: read:client_credentials, read:client_summary.

But when I go to my tenant and try to grant those scopes to the M2M connection, they are not available. See this screen shot.

Expected behavior is that I should be able to grant any necessary scopes to my M2M connection in order to hit the get client endpoint. OR ... I should be able to ask for fewer fields to be returned so that unavailable scopes are not required.

NOTE: the management api documentation for the this endpoint states that "client_id, app_type, name, and description can be retrieved with the any of the scopes." But THIS library's documentation for this endpoint does not give an option to ask for fewer than all of the client app's fields.

Therefore, I either need to be able to grant the M2M connection all of the necessary scopes, or the getClient method of this library needs to the option to ask for less data which would require only scopes which are grantable. As it is right now, this method will always error.

Reproduction

See the code snippet above for instructions on reproducing. Obviously, you'll need to create an M2M connection to your management API in your Auth0 tenant first. Here is a log of the event where access is denied.

{
  "date": "2022-06-25T03:39:42.714Z",
  "type": "feccft",
  "description": "Client has not been granted scopes: read:client_credentials, read:client_summary",
  "connection_id": "",
  "client_id": "X4upb3L2OZiv9UaSFCe1G5EN5EZredPM",
  "client_name": "Portal Demo API (Test Application)",
  "ip": "45.46.155.160",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "hostname": "aaron-custom-demos.us.auth0.com",
  "user_id": "",
  "user_name": "",
  "audience": "https://aaron-custom-demos.us.auth0.com/api/v2/",
  "scope": "read:clients read:client_keys read:client_credentials read:client_summary",
  "auth0_client": {
    "name": "node-auth0",
    "version": "2.37.0",
    "env": {
      "node": "16.14.0"
    }
  },
  "log_id": "90020220625033944057267725274932640920818060076565659666",
  "_id": "90020220625033944057267725274932640920818060076565659666",
  "isMobile": false,
  "id": "90020220625033944057267725274932640920818060076565659666"
}

Environment

  • Version of this library used:
"auth0_client": {
    "name": "node-auth0",
    "version": "2.37.0",
    "env": {
      "node": "16.14.0"
   }
},

WolbachAuth0 avatar Jun 25 '22 04:06 WolbachAuth0

Hi @WolbachAuth0 - thanks for raising this

Expected behavior is that I should be able to grant any necessary scopes to my M2M connection in order to hit the get client endpoint.

You shouldn't need to request the read:client_credentials or read:client_summary scopes to access the get client endpoint.

If you remove those scopes from your scope option, I would expect the Client Credentials grant to succeed and for you to be issued an access token that lets you make requests against the get client endpoint.

I should be able to grant any necessary scopes to my M2M connection

Looks like there's an ESD out for this (search for "ESD-15577" on jira) - you should be able to grant them in the dashboard or they shouldn't be in the API docs

OR ... I should be able to ask for fewer fields to be returned so that unavailable scopes are not required.

You can pass additional params (like fields) in the params option of the get clients method e.g. to get just client_id and grant_types fields:

await management.clients.get({ client_id, fields: ['client_id', 'grant_types'] });

adamjmcgrath avatar Jun 28 '22 13:06 adamjmcgrath

OK ...

  1. I was able to hit the GET Clients endpoint without requesting the two scopes read:client_credentials and read:client_summary. Curious that I got the error which said I needed those scopes. So you're right about that one. Thank you.

  2. I was also able to ask for fewer fields by appending them as and Array<string> parameter as you showed. My only beef here is that the management api documentation for that endpoint shows it as a single string with the field names space separated. While the documentation for this library doesn't document the fields parameter at all. So I guess that means that this is no longer a bug report, but an enhancement request. Please update the documentation. (I know ... low priority ... but there it is.)

Thanks for responding to this really quickly though.

WolbachAuth0 avatar Jun 29 '22 21:06 WolbachAuth0