Connect_scopes not merged properly with Oauth connection's pre-configured scopes

Problem statement

When providing connection scopes (through connection_scope attribute) from a client which uses the X social connection, the resulting scope that is used in the authorisation flow between Auth0 and the X’s authorisation server is malformed. This only happens in cases when the social connection has pre-configured scopes, in addition to the ones provided by the client. Passing the connection_scopes from the client only works correctly when there is no pre-configured scope on the social connection on Auth0.


When merged, the resulting scope has the format: “<client_connection_scopes>,<pre_configured_connection_scopes>”. So a comma is added between the scopes provided by the client and the ones already configured on the social connection. This will create an issue on the authorisation server of the social connection, as the comma is not expected on the “scope” attribute. Therefore, the flow won’t complete and the user won’t be able to login/signup.


Our Engineering team is working on this issue and we’ll make sure to provide updates on that shortly