Auth0 Home Blog Docs

Change in Authentication APIs i the last 2 days?



I created a non-interactive Authentication API two days ago, and gave it “offline_access” scope, and “openid”. All works fine except I don’t get the username when I request userinfo.
So today I tried to add “profile” scope just to experiment to see if it would help, but when I try to save it tells me:
"the scopes field cannot include the reserved scopes: offline_access"
But the “offline_access” scope field is already there. I added it as per the documentation to enable refresh tokens, and it works fine - I just can’t save any changes.


At the API configuration settings that you created the way to specify if the API allows refresh tokens to be issued to client applications is by enabling the Allow Offline Access toggle. You should not create an API scope named offline_access; the toggle is what it is meant to control the issuance of refresh tokens or not.

The change introduced in terms of validation is meant to remove that possible confusion and disallow the adding of scopes that are not meant to be created and instead controlled by configuration toggles.

The recommendation would be for you to remove the offline_access scope, save the configuration and then enable the associated toggle. This should still allow your client application to request refresh tokens. In relation to the username situation the information provided is not sufficient to provide a definitive answer.