I am wondering whether it is possible to get an user access token with a custom scope for an API that is configured to allow all apps for User-Delegated Access.
I tried to just add the scope in the /authorize request, but it just gets dropped and I get an access token with an empty string as scope claim.
I tried with both response_type=token and with response_type=code with PKCE.
I also tried changing the API’s User-delegated Access to per app authorization and manually granting the scope I’m looking for to that app (of course User Delegated access) with no success.
Can one get a user access token with a custom API scope? Under what conditions?
Hi @Adelin
Welcome to the Auth0 Community!
I understand that you are trying to add custom scopes for a user access token via Implicit Flow.
Allow me to share some details as to why you could be seeing this behaviour:
- Missing the audience property: Not including the audience parameter in the
/authorize request can lead to an opaque access token. If you do not specify your custom API’s identifier as the audience (either in your SDK config or directly in the query parameters), Auth0 will issue a “scopeless”, opaque, or standard OIDC token that only contains standard OIDC scopes like openid profile email
GET /authorize?
response_type=token id_token
&scope=openid email
&client_id=123
&state=af0ifjsldkj
&nonce=jxdlsjfi0fa
&redirect_uri=https://app.example.com
&audience=https://api.example.com
- User could be missing the required permissions: Since scopes in user flows represent delegated user privileges, the user logging in must actually possess the permission. As you mentioned User-Delegated Access, this can be achieved via user Roles → I can recommend reading our documentation on Delegated Administration: Manage Users - Auth0 Docs
Below are a series of docs and articles that focus on various aspects of your implementation which should provide useful information:
Let us know if this helped!
Best regards,
Gerald