Auth0 JWT doesn't have requested API Scopes

Hello, I’m trying to use scopes for my APIs and the JWT returned by Auth0 doesn’t seem to have the requested scopes. I searched around a whole bunch but couldn’t find an answer. I did the following:

1. Created a new API, adding a few different permissions and enabled RBAC and “Add Permissions in Access Token” in Settings.
2. Created a couple roles, added the relevant permissions and users.
3. Opened the Authentication API debugger extension and entered my scope (global_admin:write) and selected “id_token” for response type

The resulting JWT doesn’t have the scope I requested for, which seems to suggest that the user doesn’t have the right permissions. But I have confirmed that this user is present in the role I created in (2). What gives? Would appreciate any help or pointers in figuring this out. Thanks!

Hi @vinayvinay,

Welcome to the Auth0 Community!

It sounds like this should be working according to your description. Will you please DM me the name of the tenant so I can double check your configuration?

Everything looks okay in your config. I can’t see if you have the RBAC and Add Permissions settings enabled, but it should be fairly obvious. Can you please post a code snippet of the request you are making?

Both RBAC and Add Permissions are enabled in my API settings. I’m making a request from the
Auth0 Authentication API Debugger to reduce the number of variables (i.e. there is no code from my end involved). I’ve entered the following info:

1. Username: (this email has been added to the right role with admin privileges on the API)
2. Response Type: id_token
3. Scope: openid email global_admin:write
4. Nonce: foo

I then click OAUTH / OIDC login. The JWT I get back has my email and email_verified but doesn’t have anything for the global_admin:write scope I requested. Please let me know if I should be doing something else.

It looks like you might be missing the audience param. This param tells Auth0 which API the user is requesting access to.

Great catch. I thought this was it, but specifying the audience parameter still doesn’t solve my problem

The JWT is still missing scope permissions.

Are you looking for them in the ID token?

Yes, I’m looking for it in the id_token. I DMed you a sample JWT I received. One thing I noticed is that regardless of whether I put something in the “Audience” field I see the same “aud” value in the JWT returned by Auth0. Is there something special I need to do get the Audience to take effect?

Using “token” instead of “id_token” fixed my problem!! Thank you to Dan for the suggestion. Appreciate the time and help very much.

Glad we could get it figured out!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.