Adding Additional Scopes in a Rule

mike.edwards · August 24, 2022, 2:01pm

I have a rule to add a custom scope if a certain condition is met, the code looks like this:

function (user, context, callback) {
    
 	

if(something == true){

  		var scopes = context.accessToken.scope ?  context.accessToken.scope : "";    					
  		scopes += user.app_metadata && user.app_metadata.scopes ?  " "+user.app_metadata.scopes : "";
  		scopes += "customScope"; //we add in a default scope
  		context.accessToken.scope = scopes;
    
     
 	}
  
   
  	return callback(null, user, context);
}

However if I set this custom scope, in this manner, all other scopes are removed. This includes any scope (permissions) assigned directly to the user or assigned via roles.

How can I add an additional scope, while still allowing for any additional scopes to be handled by Auth0 as normal?

ty.frith · August 25, 2022, 10:13pm

Hey there @mike.edwards!

As far as I’m aware, this is expected behavior due to the fact that scopes shouldn’t be altered once the authorize request has already been made - In this case you are attempting to append a scope to a token which has already been created.

Instead, you might look into adding a custom claim using the same metadata. This way you can be sure. it’s not interfering with anything else.

Hope this helps!

Topic		Replies	Views
Add custom scopes in the access token ( Authorization code flow with OIDC provider) Get Help	9	27515	June 24, 2022
Insufficient Scope error. Token does not contains scopes JWT.io jwt , auth0	3	12310	December 27, 2018
Adding API scopes to google-oauth2 token Get Help jwt , auth0 , social-connections , scopes , login	2	6552	July 25, 2019
How can I get my custom scopes in the access token? Get Help login-experience , free-trial	2	526	October 7, 2024
How do I restrict scopes in auth_token based on user profile? Get Help rules , scopes , access_token , access-token , jwtconfiguration	2	5038	March 2, 2018

Adding Additional Scopes in a Rule

Related topics