In the authorization code flow, do we need to add the permissions to the user to get the scopes in the token. I have a client, and I’ve added the scopes to the client. However when I request the token, the scopes are not being added to the token. When I add the permissions to the user and then request the scopes, the access token contains the scopes. Wanted to make sure that this is the only way to get the scopes added to the access token?
Hi @gaurav.sharma,
Welcome to the Auth0 Community!
Generally, to get the permissions in your access token, you should specify the audience and scopes in the login request.
If you want to manually add scopes during the login request, you can use a post-login action script.
For example:
exports.onExecutePostLogin = async (event, api) => {
api.accessToken.addScope(scope);
};
(Reference: Actions Triggers: post-login - API Object )
Let me know if you have any follow-up questions.
Thanks,
Rueben
Thanks Ruben,
so this is my request
authorize?response_type=code&client_id=gJWtiV4EbSdHiDH19VyixA6zid1WRRzk&redirect_uri=http://test/fhir/&scope=launch%2Fpatient+openid+fhirUser+offline_access+patient%2FMedication.read&audience=fhir&state=hhhh
The client “gJWtiV4EbSdHiDH19VyixA6zid1WRRzk” has all the permissions that were requested in the scope, in the post login script i’m adding the scopes to the token. However if the user does not have those permissions(not the client), the scopes don’t get added. If I add the permissions I see the scopes being added. Does this mean we need to add the permissions to both the client and the user?
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
Hi @gaurav.sharma,
Thanks for your reply and clarification.
Yes, you would need to grant the user these permissions, as they are the ones authenticating against your API.
Check out our Assign Permissions to Users documentation.
Thanks,
Rueben