Adding Scopes/Permissions to ID Token


As a followup to this topic:

Is there any official documentation or reference to how User Permissions can be appended to ID Tokens?
The linked topic contains another link to a code snippet generously added by @ryantomaselli:

And while this snippet looks like it may be a solution, it’s definitely not something I would consider official documentation.

I would expect to see a working Rule code snippet, as well as instructions on how such a Rule should be added to the Auth Pipeline.

Is there a reason Scopes aren’t appended to an ID Token by default? I’d like to be able to check the scope property just as I check M2M JWT scopes.

Hi @subtlestag,

Thanks for reaching out to the Auth0 Community!

Unfortunately, there is no officially written documentation on appending user permissions to ID Tokens. Instead, the related community post that you found is the best source for solutions that are not available out of the box.

When using Rules, they are always triggered post-authentication in the auth pipeline. Therefore, the user’s permissions are retrieved on login and then appended to the ID Token in the example.

Scopes are not part of the required ID token claims as defined in the OpenID ID Token specification but can be included optionally as custom claims.

Generally, scopes are appended to the Access Tokens when you specify the scope parameter in the /authorize request. For example scope=openid profile email read:reports. Therefore, you will need to append the scopes as custom claims to the ID Token if you wish you include them there.

Hoped this answers your questions.

Please let me know if you have any further concerns or questions.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.