Adding Additional Scopes in a Rule

I have a rule to add a custom scope if a certain condition is met, the code looks like this:

function (user, context, callback) {

if(something == true){

  		var scopes = context.accessToken.scope ?  context.accessToken.scope : "";    					
  		scopes += user.app_metadata && user.app_metadata.scopes ?  " "+user.app_metadata.scopes : "";
  		scopes += "customScope"; //we add in a default scope
  		context.accessToken.scope = scopes;
  	return callback(null, user, context);

However if I set this custom scope, in this manner, all other scopes are removed. This includes any scope (permissions) assigned directly to the user or assigned via roles.

How can I add an additional scope, while still allowing for any additional scopes to be handled by Auth0 as normal?

Hey there @mike.edwards!

As far as I’m aware, this is expected behavior due to the fact that scopes shouldn’t be altered once the authorize request has already been made - In this case you are attempting to append a scope to a token which has already been created.

Instead, you might look into adding a custom claim using the same metadata. This way you can be sure. it’s not interfering with anything else.

Hope this helps!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.