scopes missing from id_token but present in access_token

mikebridge · May 12, 2017, 5:56am

I was able to add my scopes to my access_token with this rule excerpt:

  var requested_scopes_string = context.request.query.scope || '';
  var requested_scopes = requested_scopes_string.split(' ');
  var allowed_scopes = intersect(requested_scopes, 'openid', 'profile', 'email']);

  if(context.accessToken) {       
      context.accessToken.scope = allowed_scopes;
      roles.forEach(function(role) {
        context.accessToken.scope.push(role);
      });
  }

However, they don’t appear in my idToken if I use the same code:

  if(context.idToken) {       
      context.idToken.scope = allowed_scopes;
      roles.forEach(function(role) {
        context.idToken.scope.push(role);
      });
  }

I also tried this:

  user.app_metadata.roles = roles;
  auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
    .then(function(){
      callback(null, user, context);
    })
    .catch(function(err){
      callback(err);
    });

I’m calling it with these parameters (among others):

oidcConformant: true,
responseType: "token id_token"
scope: "openid email profile api",

Any idea why the id_token / profile doesn’t give me the scopes back, even though the access_token does?

mikebridge · May 12, 2017, 6:25am

… I still don’t know how to get it from the idToken, but I was able to parse the access_token with jwt-decode instead:

import * as decode from "jwt-decode";

export function scopes(token: string): string] {
    const decoded = decode(token);
    return !decoded.scope ? ] : decoded.scope.split(" ");
}