We have an M2M application, though we are not using an Auth0 SDK. We have already added the user-granted scopes to the JWT. It shows as empty when using the refresh token. But if making the same request using Postman, the scopes appear nicely.
Is there a way to add it?
The refresh token does not contain the expected custom scope if the request was made via a Rule/Action.
This is a limitation of the current product. The below Github link describes a possible workaround.
Question: refresh token call and custom rules · Issue #896 · auth0/auth0-spa-js · GitHub
" … you want access to these values in a Rule to run your own custom logic, you’re better just putting these values into a custom parameter that you can then pick up inside a rule. That way they don’t interfere with the OAuth flow while still being able to participate in your own custom logic."