I can’t seem to figure out why my login authentication only returns the default scope even though I’m specifying one. Here’s what my lock configuration looks like:
private lock = new Auth0LockPasswordless(authConfig.clientID, authConfig.domain, {
allowedConnections: ['sms'],
passwordlessMethod: 'code',
auth: {
redirect: false,
audience: authConfig.domain + '/api/v2/',
responseType: 'token id_token',
params: {
scope: 'openid profile email user_metadata read:users'
}
}
});
According to the docs online, this should ask for the correct scopes on login. Instead, my JWT returns always has only ‘openid profile email’ scope access rights listed on it. What could I be doing wrong?
Here’s what the network request shows:
Request URL: https://[tenant].auth0.com/authorize?client_id=*****&response_type=token%20id_token&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2F&audience=https%3A%2F%2F[tenant].auth0.com%2Fapi%2Fv2%2F&realm=sms&scope=openid%20profile%20email%20user_metadata%20read%3Ausers&state=A6QQ9HdFRoIbiAe7cxszwsZO3flDXVqm&nonce=76j7OTl2Km6qARyZyMi_PUEL6B8VJ8aN&login_ticket=SoQAFCZZeAHQNbBH1Q0k0-sCy8ETxFww&response_mode=web_message&prompt=none&auth0Client=eyJuYW1lIjoibG9jay5qcyIsInZlcnNpb24iOiIxMS44LjEiLCJsaWJfdmVyc2lvbiI6eyJyYXciOiI5LjcuMyJ9fQ%3D%3D
Request Method: GET
Status Code: 200
Remote Address: 52.11.84.238:443
Referrer Policy: no-referrer-when-downgrade
Which seems to be passing the scope correctly. When I decode the returned JWT though, it looks like:
{
"iss": "https://[tenant].auth0.com/",
"sub": "sms|5b5e19eea6803a91919e9355",
"aud": [
"https:/[tenant].auth0.com/api/v2/",
"https://[tenant].auth0.com/userinfo"
],
"iat": 1533503179,
"exp": 1533510379,
"azp": "sNX0Jn1Nj4IW4a63WKapGxRDnO4ArIlM",
"scope": "openid profile email"
}
Which means my scope parameters were ignored?