Angular SPA: Scopes not correctly returned

Hello, I’m using "@auth0/auth0-angular": "^2.2.1" and following the Quick Start tutorial I’ve added the following in the app.module.ts

AuthModule.forRoot({
      domain: '<auth0 domain>',
      clientId: '<client id>',
      authorizationParams: {
        redirect_uri: window.location.origin,
        audience: '<auth0 audience>',
        scope: 'openid read:current_user read:positions read:skill_tests'
      },
     ...

When the login request happens using the this.auth.loginWithRedirect() I can see the scopes being set correctly in the request:

But then the token returned doesn’t have all the scopes that were requested.

Screenshot 2023-07-28 at 08.09.26

Moreover, when I try to call the API that has the missing two scopes from above, I get an error:

ERROR Error: Consent required

I’m using the library’s httpInteceptor

AuthModule.forRoot({
      ...
      httpInterceptor: {
        allowedList: [
          {
            uri: 'http://127.0.0.1:4201/*',
            tokenOptions: {
              authorizationParams: {
                audience: '<api audience>',
                scope: 'read:positions read:skill_tests'
              }
            }
          }
        ]
        ...

The Permissions are set correctly in the Custom API, the RBAC Settings are both on, and when using the Test “ask auth0 for token for my application” and “sending the token to the API” it works correctly and I can see the permissions being set.
The User has both of the permissions required in his profile.

1 Like