Angular frontend communicating with FastAPI does not seem to send the my custom scopes

I have based on your examples created an Angular 11 SPA (running locally on port 4200) which communicates with a FastAPI based backend (running locally on localhost port 8080). I am using the package ‘fastapi-auth0’. Now although authentication works, my custom scope is not send with the token. The content of the token is ‘‘openid profile email’’.

Because on the Angular site my httpInterceptor is defined as:

      AuthModule.forRoot({
            domain: '<my domain>',
            clientId: '<my client id>'',

            // Request this audience at user authentication time
            audience: 'https://<my API audience>',

            // Request this scope at user authentication time
            scope: 'read:measurements',

            // Specify configuration for the interceptor
            httpInterceptor: {
                allowedList: [
                    {
                        // Match any request that starts with the uri defined below (note the asterisk)
                        uri: 'http://127.0.0.1:8080/*',
                        tokenOptions: {
                            // The attached token should target this audience
                            audience: '<my API audience>',

                            // The attached token should have these scopes
                            scope: 'read:measurements'
                        }
                    }
                ]
            }
        })

I would have expected the scope to contain ‘read:measurements’ too.
I have defined this in the ‘Permissions’ tab, by the way and enabled ‘RBAC’ and ‘Add Permissions in the Access Token’.

Hi @evert,

Welcome to the Auth0 Community!

Are you not seeing the custom scope at all in the token? Your scope should be included in the token. Are you not seeing it there?

Thanks for replying to my message. Yes, I see the scope in the token. For convenience I have included a screenshot of debugging output of the ‘payload’ variable of the libraries ‘auth.py’.

Payload

Have you assigned the permission to the user directly or implicitly via a role?

Well, thank you very much for pointing me into the right direction. This greenhorn completely misunderstood the concept of scoped API protection: I had the assumption that the httpInterceptor was sending the allowed scopes. I was already wondering how this is managed per user.

Now I see: when a user is registered into Auth0, I need to go to this user and assign manually the allowed scopes.

It now works.

Still makes me wonder why the httpInterceptor is defined with an ‘audience’ and a ‘scope’ because when I comment this out it works too.

1 Like

@evert,

You may be defining the audience for your custom API somewhere else in your Angular app, or have set a tenant-wide default audience. The https://{YOUR-TENANT}.eu.auth0.com/userinfo audience is a default.

1 Like