Auth0 JWT doesn't have requested API Scopes

Hello, I’m trying to use scopes for my APIs and the JWT returned by Auth0 doesn’t seem to have the requested scopes. I searched around a whole bunch but couldn’t find an answer. I did the following:

  1. Created a new API, adding a few different permissions and enabled RBAC and “Add Permissions in Access Token” in Settings.
  2. Created a couple roles, added the relevant permissions and users.
  3. Opened the Authentication API debugger extension and entered my scope (global_admin:write) and selected “id_token” for response type

The resulting JWT doesn’t have the scope I requested for, which seems to suggest that the user doesn’t have the right permissions. But I have confirmed that this user is present in the role I created in (2). What gives? Would appreciate any help or pointers in figuring this out. Thanks!

Hi @vinayvinay,

Welcome to the Auth0 Community!

It sounds like this should be working according to your description. Will you please DM me the name of the tenant so I can double check your configuration?

Everything looks okay in your config. I can’t see if you have the RBAC and Add Permissions settings enabled, but it should be fairly obvious. Can you please post a code snippet of the request you are making?

Both RBAC and Add Permissions are enabled in my API settings. I’m making a request from the
Auth0 Authentication API Debugger to reduce the number of variables (i.e. there is no code from my end involved). I’ve entered the following info:

  1. Username: (this email has been added to the right role with admin privileges on the API)
  2. Response Type: id_token
  3. Scope: openid email global_admin:write
  4. Nonce: foo

I then click OAUTH / OIDC login. The JWT I get back has my email and email_verified but doesn’t have anything for the global_admin:write scope I requested. Please let me know if I should be doing something else.

It looks like you might be missing the audience param. This param tells Auth0 which API the user is requesting access to.

Great catch. I thought this was it, but specifying the audience parameter still doesn’t solve my problem :frowning:

The JWT is still missing scope permissions.

Are you looking for them in the ID token?

Yes, I’m looking for it in the id_token. I DMed you a sample JWT I received. One thing I noticed is that regardless of whether I put something in the “Audience” field I see the same “aud” value in the JWT returned by Auth0. Is there something special I need to do get the Audience to take effect?

Using “token” instead of “id_token” fixed my problem!! Thank you to Dan for the suggestion. Appreciate the time and help very much.

1 Like

Glad we could get it figured out!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.