Hi Martin.
What you are seeing is the expected behavior. With the client-credentials grant, Auth0 returns all the scopes granted to the application, regardless of the scope parameter. The rationale behind this decision is that the requester already has the credentials (the “keys to the kingdom”) to ask for any scope, so there’s no point in restricting the scopes by default.
If your particular use case causes the issued tokens to be less secure than the client_id/client_secret pair, you can use a client-credentials hook to restrict the scopes of the returned token to those that the client asked for, with something like this:
module.exports = function(client, scope, audience, context, cb) {
var access_token = {};
access_token.scope = scope;
if (client.id === 'xxxxxx') {
// restrict scopes to those requested by the application
var requestedScopes = (context.body.scope || "").split(' ');
// return only the intersection with those scopes
// that were originally granted (the scope parameter)
access_token.scope = requestedScopes.filter(x => scope.indexOf(x) !== -1);
}
cb(null, access_token);
};