Custom scopes inside access token

jerome.vonk · September 9, 2019, 8:22pm

I have been following the steps described in this tutorial: API and SPA Configuration (SPAs + API)

At some point, I have configured an API, created roles, attached permissions and created a test user.

My access token now contains something like this:

{
  "iss": "my-tenant",
  "sub": "...",
  "aud": [
    "my-audience",
  ],
  "iat": 1568059650,
  "exp": 1568146050,
  "scope": "openid email profile",
  "gty": "password",
  "permissions": [
    "read:something",
    "write:something"
  ]
}

I was able to validate the signature of the token in my API. After that, I was expecting Authz lib to validate the scopes. However, I get the following error: “Insufficient scope”.

I understand that my token has the property permissions instead of scopes.
Questions:
a) What’s the difference between permissions and scopes in Auth0?
b) How can I include my custom scopes, for example, “read:something”, inside the access token?

Thanks in advance!

paulo.casari · September 10, 2019, 6:58pm

The jwtAuthz lib have the option customScopeKey
you can use it like this to make it work with permissions instead of scope you get.

jwtAuth(["read:something"], { customScopeKey: "permissions" });

konrad.sopala · September 11, 2019, 12:49pm

Thanks a lot @paulo.casari for sharing it with the rest of community!

system · September 26, 2019, 12:49pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.