Hello, I’m trying to use scopes for my APIs and the JWT returned by Auth0 doesn’t seem to have the requested scopes. I searched around a whole bunch but couldn’t find an answer. I did the following:
Created a new API, adding a few different permissions and enabled RBAC and “Add Permissions in Access Token” in Settings.
Created a couple roles, added the relevant permissions and users.
Opened the Authentication API debugger extension and entered my scope (global_admin:write) and selected “id_token” for response type
The resulting JWT doesn’t have the scope I requested for, which seems to suggest that the user doesn’t have the right permissions. But I have confirmed that this user is present in the role I created in (2). What gives? Would appreciate any help or pointers in figuring this out. Thanks!
It sounds like this should be working according to your description. Will you please DM me the name of the tenant so I can double check your configuration?
Everything looks okay in your config. I can’t see if you have the RBAC and Add Permissions settings enabled, but it should be fairly obvious. Can you please post a code snippet of the request you are making?
Both RBAC and Add Permissions are enabled in my API settings. I’m making a request from the
Auth0 Authentication API Debugger to reduce the number of variables (i.e. there is no code from my end involved). I’ve entered the following info:
Username: (this email has been added to the right role with admin privileges on the API)
Response Type: id_token
Scope: openid email global_admin:write
Nonce: foo
I then click OAUTH / OIDC login. The JWT I get back has my email and email_verified but doesn’t have anything for the global_admin:write scope I requested. Please let me know if I should be doing something else.
Yes, I’m looking for it in the id_token. I DMed you a sample JWT I received. One thing I noticed is that regardless of whether I put something in the “Audience” field I see the same “aud” value in the JWT returned by Auth0. Is there something special I need to do get the Audience to take effect?