With Machine-to-machine token, we need the ability to limit the scope issued in the token to be no more than what’s requested.
I found this solution using custom hook: Client credentials request ignores scope parameter?
However it looks like hooks are being deprecated. But when I try to do the same in actions
exports.onExecuteCredentialsExchange = async (event, api) => {
if(event.transaction.requested_scopes.length === 0) {
api.access.deny('invalid_request', "Scope missing in the request body.");
} else {
api.accessToken.setCustomClaim('scope', event.transaction.requested_scopes.join(' '))
}
};
I got an error of : The "scope" claim cannot be set.
How do you expect people to migrate from hooks to actions, when actions doesn’t provide the same capability?
1 Like
Hi,
I may be wrong, but I think it’s because you’re using “setCustomClaim” instead of “addScope” or “removeScope”. Actions Triggers: post-login - API Object (auth0.com). Looks like this methods can help you modify what scope are to be used.
Is it of any help ?
Thanks for the reply, but the document you linked is for user-login flow only.
The “api” object in machine to machine flow does not have an equivalent: Actions Triggers: credentials-exchange - API Object, and I get an error in the editor
1 Like
Sorry for the confusion, I didn’t realize I was on the user login flow part. You were right and there is no scope modification available for the API Object. Modify scopes within an action - Auth0 Community already was about the same topic in 2021…
Hey there!
As this topic is related to Rules - Hooks - Actions and Rules & Hooks are being deprecated soon I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!
Learn more here!
