Confused: Permissions are not part of Scopes in JWT token

Hi

I’m little confused about how the terms “Scope” and “Permissions” are used between Documentation, official Examples and the settings itself here at Auth0. I’ve read all the questions here around the same topic, but I am confused once more after reading them.

As one can see at the page https://auth0.com/docs/quickstart/backend/golang/01-authorization#validate-scopes, the function checkScopes will be used to ask for a permission “read:messages” within the scope of the Claims of the JWT token. However, although I added some permissions to the user that I was using here, there are not present in the scope. The scope consists just “openid profile email”.

Permissions are even not present at all in the returned token.

Is this a bug or a feature or what I got wrong here?

Many thanks in advance for any explanation.

Hi @clubbing,

You may find this FAQ helpful: What is the difference between scopes and permissions?

I’m going to spin up the Quickstart app to see if I can recreate this behavior. I will reply with more information once I investigate a bit more.

1 Like

Hi @clubbing,

I apologize for the delay! When I specify the scope in the client add, I’m seeing the scopes in the Access Token.

For example, in my React app:

  <Auth0Provider
    domain={config.domain}
    clientId={config.clientId}
    audience={config.audience}
    scope="read:messages"
    redirectUri={window.location.origin}
    onRedirectCallback={onRedirectCallback}
    cacheLocation="localstorage"
    useRefreshTokens={true}
  >
    <App />
  </Auth0Provider>,

The scopes in the Access Token are returned as: "scope": "openid profile email read:messages"

(openid profile email are the default OIDC scopes and read:messages is specific to my API)

Would you mind sharing the code for where your client app is setting up the Auth0 client or sending the token request? (Please remove any sensitive data such as domain and Client ID)

Thanks!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.