Auth0 Home Blog Docs

Cannot get scope limited as per the examples without breaking the id token

My id_token looks like this:

{
  "http://sample.co/uid": "1831",
  "http://sample.com/country_code": "GB",
  "http://sample.co/timezone": "Europe/London",
  "given_name": "Joe",
  "family_name": "Bloggs",
  "nickname": "joe123",
  "name": "Joe Bloggs",
  "picture": "https://img.sample.com/noimage.png",
  "updated_at": "2019-06-26T20:12:32.610Z",
  "email": "joe.bloggs@yahoo.co.uk",
  "email_verified": false,
  "iss": "https://auth.sample.com/",
  "sub": "auth0|1831",
  "aud": "m05o2KJmFi9bKH5MnXe9S1fvJzPOixRJ",
  "iat": 1561579952,
  "exp": 1561615952
}

If no scope is requested a user will get all the scope. I have to control the scope and intend to use paramters in the user’s app_metadata to add additional scope. I also have to limit the scope by only giving users the scope they request or in most casses just a default scope like this:

By using this example: https://auth0.com/docs/rules/references/samples

function(user, context, callback) {
  context.accessToken.scope = ['openid', 'user'];
  callback(null, user, context);
}

But this breaks the id_token, I loose most of the id data in my id_token.

{
  "http://sample.co/uid": "1831",
  "http://sample.com/country_code": "GB",
  "http://sample.co/timezone": "Europe/London",
  "iss": "https://auth.sample.com/",
  "sub": "auth0|1831",
  "aud": "m05o2KJmFi9bKH5MnXe9S1fvJzPOixRJ",
  "iat": 1561580367,
  "exp": 1561616367
}

But on the bright side is the scope is now working.

Is there a way this can work?

If you want to control scope from rules then it’s an all or nothing approach as in you’ll also need to consider the OIDC scopes that should be granted.

If instead of allowing just openid you also allow profile and email scopes then the ID token will contain again the information in your sample. You can see the mapping of scopes to ID token claims at (https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims).

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.