Create Client Grant for client with non-existing Scope

net.oleksii.zeleniuk · May 2, 2023, 2:49pm

Hello everyone,

I have a question about the Scopes management in Auth0. Unfortunately, I couldn’t find the exact answer in the documentation.

I’m trying to grant a scope for a specific client using Management API. However, I stumbled upon the fact, that It’s possible to assign a scope to a client, that doesn’t exist in an API.

Here is my setup:

a M2M client, clientId: 1234567890,
API (audience): https://my-api.example.com
there are no permissions in it

I use this Management API (Auth0 Management API v2) to create a client grant:

POST /api/v2/client-grants

{
  "client_id": "1234567890",
  "audience": "https://my-api.example.com",
  "scope": [
    "non-existing-scope"
  ]
}

In the example above, I can create a Grant and afterward request the “non-existing-scope” scope:

curl --request POST \
  --url 'https://auth0/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=1234567890 \
  --data client_secret=<SECRET> \
  --data scope=non-existing-scope \
  --data audience=https://my-api.example.com

The non-existing-scope scope will be present in the access_token.

Why does the Management API allow creating a client grant with a scope that is not defined in the API? Or why will this scope not be present in the Auth0 Dashboard among other permissions?

Thank you very much in advance!

Topic		Replies	Views
Configure permission on client Help	4	1755	November 5, 2021
Assigning permissions to M2M Client via Management Api Help management-api , clients	1	524	November 9, 2023
Minimum scopes for the Auth0 Management API Help	3	3300	December 23, 2021
Insufficient scope error when calling authorization extension API for old client Help api-authorization , scope	4	4562	March 2, 2018
Error: Client has not been granted scopes Help	3	12315	March 29, 2018

Create Client Grant for client with non-existing Scope

Related Topics