Auth0LockPasswordless returns JWT with default scope instead of specified scope

I can’t seem to figure out why my login authentication only returns the default scope even though I’m specifying one. Here’s what my lock configuration looks like:

private lock = new Auth0LockPasswordless(authConfig.clientID, authConfig.domain, {
allowedConnections: ['sms'],
passwordlessMethod: 'code',
auth: {
    redirect: false,
    audience: authConfig.domain + '/api/v2/',
    responseType: 'token id_token',
    params: {
        scope: 'openid profile email user_metadata read:users'
    }
}
});

According to the docs online, this should ask for the correct scopes on login. Instead, my JWT returns always has only ‘openid profile email’ scope access rights listed on it. What could I be doing wrong?

Here’s what the network request shows:

Request URL: https://[tenant].auth0.com/authorize?client_id=*****&response_type=token%20id_token&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2F&audience=https%3A%2F%2F[tenant].auth0.com%2Fapi%2Fv2%2F&realm=sms&scope=openid%20profile%20email%20user_metadata%20read%3Ausers&state=A6QQ9HdFRoIbiAe7cxszwsZO3flDXVqm&nonce=76j7OTl2Km6qARyZyMi_PUEL6B8VJ8aN&login_ticket=SoQAFCZZeAHQNbBH1Q0k0-sCy8ETxFww&response_mode=web_message&prompt=none&auth0Client=eyJuYW1lIjoibG9jay5qcyIsInZlcnNpb24iOiIxMS44LjEiLCJsaWJfdmVyc2lvbiI6eyJyYXciOiI5LjcuMyJ9fQ%3D%3D
Request Method: GET
Status Code: 200 
Remote Address: 52.11.84.238:443
Referrer Policy: no-referrer-when-downgrade

Which seems to be passing the scope correctly. When I decode the returned JWT though, it looks like:

{
  "iss": "https://[tenant].auth0.com/",
  "sub": "sms|5b5e19eea6803a91919e9355",
  "aud": [
"https:/[tenant].auth0.com/api/v2/",
"https://[tenant].auth0.com/userinfo"
  ],
  "iat": 1533503179,
  "exp": 1533510379,
  "azp": "sNX0Jn1Nj4IW4a63WKapGxRDnO4ArIlM",
  "scope": "openid profile email"
}

Which means my scope parameters were ignored?

it’s possible we are performing an OpenID Connect (OIDC) compliant authentication request, which means the user_metadata claim will not be returned even if you request it as part of the scope. The token will only contain the information associated with the standard scopes like openid, email, and proilfe, (see this section of the specification). This is due to the fact that user_metadata is not a standard OIDC claim. If you want to include additional information we can add custom claims through a Rule.

Thanks for the reply Kim. I’ve added user_metadata using rule, however my JWT still has no write access. Without the ability to update user information my client side application is dead in the water.

How can I obtain a JWT with write access to my API during authentication?

I guess what I’m confused about is when you have OIDC compiant authentication, how do users update their profile information on the client side? It seems the token I receive is only ever read-only access.

Is it possible to POST to /userinfo with a users updated profile information? How can I allow the clientside to update a users profile information?

@Syntaf1 we can still get tokens for the Management API from the frontend, but they will be very limited in scope and what we can update. We can send a PATCH to update their profile information. What information are you looking to update?

More information on getting a token for the frontend can be found here:

https://auth0.com/docs/api/management/v2/tokens#get-a-token-from-the-frontend