Hello everyone,
I have a question about the Scopes management in Auth0. Unfortunately, I couldn’t find the exact answer in the documentation.
I’m trying to grant a scope for a specific client using Management API. However, I stumbled upon the fact, that It’s possible to assign a scope to a client, that doesn’t exist in an API.
Here is my setup:
- a M2M client, clientId: 1234567890,
- API (audience): https://my-api.example.com
- there are no permissions in it
I use this Management API (Auth0 Management API v2) to create a client grant:
POST /api/v2/client-grants
{
"client_id": "1234567890",
"audience": "https://my-api.example.com",
"scope": [
"non-existing-scope"
]
}
In the example above, I can create a Grant and afterward request the “non-existing-scope” scope:
curl --request POST \
--url 'https://auth0/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=1234567890 \
--data client_secret=<SECRET> \
--data scope=non-existing-scope \
--data audience=https://my-api.example.com
The non-existing-scope
scope will be present in the access_token.
Why does the Management API allow creating a client grant with a scope that is not defined in the API? Or why will this scope not be present in the Auth0 Dashboard among other permissions?
Thank you very much in advance!