I’ve got the authentication quick start working for my React SPA and that all works fine. The next step is securing my web api layer.
I download the API quickstart, which comes with my details pre-loaded e.g. audience, but it fails, in that the service that requires authorization returns a 401. If I debug it appears that the authentication response from Auth0 doesn’t have all the requested scopes, only ‘openid profile’. I can add ‘email’ to that but that is it. The custom scopes e.g. ‘read:messages’ are not there. When I first logged in the Auth0 login followed with a screen to ask if the tenant could get access to the scopes. If I go to the dashboard for this user and look at authorized applications for the correct audience it has the correct scopes that the SPA app wants.
I’ve looked at the access_token in jwt.io and there is nothing that looks like scope in there.
I tried adding the Authorization extension, created permissions with the same name as the scopes and I can see the roles now loaded as ‘app_metadata’ in my user JSON. However that doesn’t makes a difference.
- why isn’t the authentication result returning the scopes I requested?
- how do I easily associate a specific user with those scopes (maybe this will be resolved with question 1). I assume this means rules?
- I could look at wring my own rule to add a scope but it isn’t clear what data I should add and what it should look like. What does a scope structure look like on a user? I’d even be happy adding a scope manually to my user for the time being.
Thanks for your time.