Client credentials restrict scope with action instead of hook

Help
,
1

With Machine-to-machine token, we need the ability to limit the scope issued in the token to be no more than what’s requested.

I found this solution using custom hook: Client credentials request ignores scope parameter?

However it looks like hooks are being deprecated. But when I try to do the same in actions

exports.onExecuteCredentialsExchange = async (event, api) => {
  if(event.transaction.requested_scopes.length === 0) {
    api.access.deny('invalid_request', "Scope missing in the request body.");
  } else {
    api.accessToken.setCustomClaim('scope', event.transaction.requested_scopes.join(' '))
  }
};

I got an error of : The "scope" claim cannot be set.

How do you expect people to migrate from hooks to actions, when actions doesn’t provide the same capability?

2

Hi,

I may be wrong, but I think it’s because you’re using “setCustomClaim” instead of “addScope” or “removeScope”. Actions Triggers: post-login - API Object (auth0.com). Looks like this methods can help you modify what scope are to be used.
Is it of any help ?

3

Thanks for the reply, but the document you linked is for user-login flow only.

The “api” object in machine to machine flow does not have an equivalent: Actions Triggers: credentials-exchange - API Object, and I get an error in the editor

image
image793×178 16.8 KB

1 Like
4

Sorry for the confusion, I didn’t realize I was on the user login flow part. You were right and there is no scope modification available for the API Object. Modify scopes within an action - Auth0 Community already was about the same topic in 2021…