I understand I can manage scopes via rules, but I would like to do so with hooks as they will eventually replace rules. I followed the guide at Client Credentials Exchange. I added a scope in my api, write:data, and can successfully retrieve tokens with this scope. However, I only want auth0 to return this scope based on a flag within user app_metadata. How can I do this via hooks? Will the hook also edit the top level scope in the auth0 auth response?
To give things a shot, I added a dummy scope in my cred exchange hook and it returns the following object.
{ "scope": "read:connections", "testing" ] }
However, my auth response does not have the “testing” scope in the access token or in the top level json. Why is that?
At this time there are three available hooks (two related to user registration in database connection and the third related to client credentials). None of the previously mentioned hooks provide the ability to perform what you stated so the current available approach is to keep using rules.
In addition, have in mind that what you describe is an end-user based authentication process where the request for certain scopes is associated with a particular user identity. In the client credentials hook there is no notion of an end-user because the underlying client credentials grant also does not have any notion of an end-user. This grant is used by confidential clients as means to obtain an access token directly associated with the client application and not on behalf of a certain end-user.
In conclusion, if you want to programmatically influence the issued scopes for end-user based authentication flows then you need to currently use rules. If on the other hand you want to influence the scopes issued through a client credentials grant then you indeed should use the hook in question.