Adding Additional Scopes in a Rule

mike.edwards · August 24, 2022, 2:01pm

I have a rule to add a custom scope if a certain condition is met, the code looks like this:

function (user, context, callback) {
    
 	

if(something == true){

  		var scopes = context.accessToken.scope ?  context.accessToken.scope : "";    					
  		scopes += user.app_metadata && user.app_metadata.scopes ?  " "+user.app_metadata.scopes : "";
  		scopes += "customScope"; //we add in a default scope
  		context.accessToken.scope = scopes;
    
     
 	}
  
   
  	return callback(null, user, context);
}

However if I set this custom scope, in this manner, all other scopes are removed. This includes any scope (permissions) assigned directly to the user or assigned via roles.

How can I add an additional scope, while still allowing for any additional scopes to be handled by Auth0 as normal?

tyf · August 25, 2022, 10:13pm

Hey there @mike.edwards!

As far as I’m aware, this is expected behavior due to the fact that scopes shouldn’t be altered once the authorize request has already been made - In this case you are attempting to append a scope to a token which has already been created.

Instead, you might look into adding a custom claim using the same metadata. This way you can be sure. it’s not interfering with anything else.

Hope this helps!

tyf · September 9, 2022, 10:14pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.