Setting scope in access_token breaks id_token

I have a single page application and a backend application both registered as clients in Auth0. The SPA uses implicit grant to get id_token and access_token from Auth0. Kong validates the access_token and sends the request to the backend. The SPA sets scope “openid profile” and gets full profileinformation from Google. So far so good.

I need to set roles in the access_token for the backend to read, and am doing this using a rule. The rule goes like this: context.accessToken.scope = ‘list’,‘of’,‘roles’]; The problem now is the profile information disappears from the id_token when the rule is active, and I only get basic information in the JWT. I found a way around this, by getting the scopes from the request and adding them to the scopes in the access_token.

var roles = 'list','of','roles'];
var scope = context.request.query.scope || "";
context.accessToken.scope = roles.join(' ').concat(' ').concat(scope);

I would say this must be a bug in Auth0. Setting scope in access_token should not affect how the id_token is generated. I have searched the docs but have not been able to find where this behaviour is documented. If this is expected, please show me where this is described.

1 Like

I would have to check a few things first so I’m not providing this as an answer at this time, but technically when you perform an OpenID Connect implicit grant with id_token token the access token is also related to OIDC so setting the scope can be seen as denying the OIDC scopes that were requested. In particular, the access token would be used to perform calls to OIDC defined /userinfo endpoint. There is a small caveat that if the request is also for OAuth 2.0 authorization with a custom API and that API requires HS256 then the access token is not allowed for user info.