Welcome to the Kinde community

Updated 2 months ago

Best flow for creating kinde user via api with admin role

Hello. I am using the kinde management api to automatically create new users when they are created in our own system. As far as I've understood, only m2m applications can access the kinde management api. What is the best flow for when a kinde user, autenticated with admin roles creates a user in our system, and the backend creates a kinde user on behalf of them. From what i can see I can't pass user information in the api for things like audit logs or role checks

P
J
6 comments

Big fan of the product you and the team have. I have a few too many charging apps installed for my car.

You're correct that Machine to Machine (M2M) applications are used to access the Kinde Management API. These M2M applications are secured through an initial exchange of each application's Client ID and Client Secret.

When it comes to creating users via the Kinde Management API, you're right that you can't directly pass user information like audit logs or role checks. The M2M application operates independently of the authenticated user in your system.

However, you can still create users via the API. Here's an example of how you might create a user using the Kinde Management API:

{
  "profile": {
    "first_name": "Uncatchable",
    "last_name": "Joeseptj"
  },
  "identities": [
    {
      "type": "email",
      "details": {
        "email": "<a target="_blank" rel="noopener noreferrer" href="mailto:evgeny+test3@gmail.com">evgeny+test3@gmail.com</a>"
      }
    }
  ]
}


This request would be sent to the endpoint: `https://yourdomain.kinde.com/api/v1/user`.While you can't directly pass the authenticated user's information in the API call, you could potentially store this information in your own system's audit logs. You could log who initiated the user creation in your system, and then correlate this with the Kinde user creation.

As for role checks, roles and permissions in Kinde are typically managed at the organization level. After creating a user, you could use separate API calls to assign roles or permissions based on your system's logic.

It's important to note that the M2M application will need the appropriate scopes to perform these operations. For example, you'll need the create:users scope to create users.

[1] Applications in Kinde
[2] Answer: M2M Tokens via auth flow
[3] Manage user roles
[4] Kinde organizations for developers
[5] Authentication

An alternate option would be for you to record the meta data of who added the user as a property to their profile. https://docs.kinde.com/properties/work-with-properties/manage-properties/?r=search#\_top

Hey, thanks for the shout out, we are doing our best! And right back at you, great software and developer experience all throughout!

Thanks for the detailed response. Yep, this is exactly what we are doing right now, an admin is authenticated in our own system based on roles, then on behalf of that user our backend uses its client credentials flow to create a user in kinde with the api you mentioned above. However this means we lose all end-user information in things like user activity.

What is the design decision of not giving kinde users access to parts of the management api? Is it just because that level of api-access is supposed to be administered by each customer and not Kinde? Perhaps there is something here we missed?

A small followup. If our backend is both supposed to act as an authentication flow starter <i>and</i> management api accessor, are we supposed to use two application credentials, one with m2m and one as "backend" type?

Thanks for explaining further.

Looking back on the conversation, a new end user added in your application via the Kinde API wouldnt have any audit log data yet as they would have authenticated yet. Maybe I missing something?

By 'Kinde users', you are referring to those who can access the Kinde Admin from Elton? If so, the user can do a range of actions on end users and organizations that are reflected back into your application. Is there any in particular that you would like to see?

Yes, you would need to use two different application credentials for these distinct purposes.

1.  For the authentication flow starter, you would use a "Back-end / server-side app" type application. This type of application is described as being "Secured with Authorization Code Flow" and is suitable for server-rendered web applications.

2.  For accessing the Management API, you need to use a Machine to Machine (M2M) application. The documentation specifically states: "Only machine to machine (M2M) applications can connect to Kinde's Management API".

These are two distinct types of applications in Kinde, each serving a different purpose and using different authentication methods. The back-end app uses Authorization Code Flow with a client secret, while the M2M app uses Client Credentials flow.

Therefore, to fulfill both roles (authentication flow starter and Management API accessor), you would indeed need to set up two separate applications in Kinde with different credentials.

I'll explain more in detail

However this means we lose all end-user information in things like user activity.
In this case I meant the end-user being the admin initiating the creation of a new user. Kinde already has a useful user-activity log, however once I am using the management api I have no way (as far as I can see) to make calls to the management api <i>on behalf</i> of the admin(it is always a neutral m2m actor), so the creation of a new user would never end up in the admin's user activity. This of course can be solved on our end, and probably will anyway.\

This isn't that important to us however, and you already answered my most pressing questions. Thanks! 😊

Ahhh thanks for explaining further. So you would want to see any extra activity type or audit log that says that User A invited/created User B.

Great to know that you are able to solving this on your side, I will add it to our requests board either wasy.

Add a reply
Sign up and join the conversation on Slack