Auth0 Home Blog Docs

Custom scopes inside access token

I have been following the steps described in this tutorial: https://auth0.com/docs/architecture-scenarios/spa-api/part-3

At some point, I have configured an API, created roles, attached permissions and created a test user.

My access token now contains something like this:

{
  "iss": "my-tenant",
  "sub": "...",
  "aud": [
    "my-audience",
  ],
  "iat": 1568059650,
  "exp": 1568146050,
  "scope": "openid email profile",
  "gty": "password",
  "permissions": [
    "read:something",
    "write:something"
  ]
}

I was able to validate the signature of the token in my API. After that, I was expecting Authz lib to validate the scopes. However, I get the following error: “Insufficient scope”.

I understand that my token has the property permissions instead of scopes.
Questions:
a) What’s the difference between permissions and scopes in Auth0?
b) How can I include my custom scopes, for example, “read:something”, inside the access token?

Thanks in advance!

The jwtAuthz lib have the option customScopeKey
you can use it like this to make it work with permissions instead of scope you get.

jwtAuth(["read:something"], { customScopeKey: "permissions" });
1 Like

Thanks a lot @paulo.casari for sharing it with the rest of community!