Allow limited management api scopes when authing

[Jrc356]

Checklist

• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

We have some pipelines that build frontend apps that require client IDs. Rather than sticking them in secrets some way, it would be incredibly handy to be able to pull the client IDs using this cli. However, its a little sketchy that the CLI requires all scopes to the management API. It would be great if I could just allow the client I auth with to have the read:clients scope. However, if I create a client with only that scope and attempt to auth with the cli, it fails saying that it needs all the scopes for the management API.

Describe the ideal solution

I'd like to be able to create a client that can interact with specific cli commands. For example, if I want to only be able to read clients, I would create a client with the read:clients scope and be able to perform client read commands with the CLI

Alternatives and current workarounds

Don't think there's really an alternative to this as its a requirement of the CLI that the client used has all scopes of the management api

Additional context

No response

[willvedd]

I agree that requiring all scopes on the client is a bit sketchy. The original intent was to ensure a quality DX, but we've dropped a similar requirement in the Auth0 Deploy CLI without issue; the Auth0 Terraform Provider has no such requirement either.

We're currently in the midst of making improvements to the login experience so there's a chance this could be bundled in with that work. I'll keep this thread updated over the next several weeks.

[willvedd]

Update: Appreciate the suggestion. We included this into v1.3.0. So now when authenticating with client credentials, there is no verification against a required set of scopes. This will allow users to tightly-scope the purview of their CLI client to their specific use case.