Auth0 Home Blog Docs

Additional scopes when Authenticating via OIDC

scopes

#1

Hi,

I am following the Web App > ASP.NET Core quick-start.

It uses Cookie and OIDC middleware. I am adding scopes to the OIDC authorisation request in order to be able to invoke the Management API. Such as:

// Configure the scope
options.Scope.Clear();
options.Scope.Add(“openid”);
options.Scope.Add(“profile”);
options.Scope.Add(“read:users”);
options.Scope.Add(“read:user_idp_tokens”);

I have added the ‘audience’ parameter to the management API as per the docs (but that doesn’t really matter here).

options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context =>
{
context.ProtocolMessage.SetParameter(“audience”, “xxxxxxxxxxxxxxxxx/api/v2/”);

                    return Task.FromResult(0);
                },

However the access token I receive back only contain the ‘openid profile’ scopes. Why do I not get back the other scopes. Is it possible to specify other scopes? Do I have to specific make a round-trip to explicitely ask for access token by means of posting a request to xxxxxxxxxxxxxxx/oauth/token?

What if a define custom scope to my own API’s? Will I not be able to get authorization for them with defined custom scopes?


#2

I’m running into a similar problem. Scopes openid, email and profile work, but the scope ‘read:users’ is ignored and the access token I receive back is missing that scope.


#3

then when I try to read users I get this reply:

{“statusCode”:403,“error”:“Forbidden”,“message”:“Insufficient scope, expected any of: read:users,read:user_idp_tokens”,“errorCode”:“insufficient_scope”}


#4

If I use https://ampogee.auth0.com/api/v2/’ as an audience, it ignores the read:users in the scope image