Custom scopes/permissions not included in access token from Okta IdP

Hi,
In Auth0 I have configured:

  • A Custom API with 18 permissions.
  • A Next.js client that calls the API.
  • A SPA Auth0 application with an “enterprise connection” to an Okta OIDC IdP.
  • An enterprise connection to an Okta OIDC IdP.
  • The Okta OIDC application.

Login succeeds but the token exchange does not include my custom scopes/permissions in the access token.

OIDC connection in Auth0:

Okta scopes:

This is the access token sent to the API:

{
  "iss": "https://bookend-mvp-staging.us.auth0.com/",
  "sub": "oidc|Bookend-Okta-OIDC-SSO|00uezee7dbLsmw0kB5d7",
  "aud": [
    "https://control-plane-pwuhwxrqnq-uc.a.run.app",
    "https://bookend-mvp-staging.us.auth0.com/userinfo"
  ],
  "iat": 1715053960,
  "exp": 1715140360,
  "scope": "openid profile email",
  "org_id": "org_pOdZ283uSzKQpddI",
  "azp": "PmuiEJVHdJVj3xaAqn4z0HCOXDhbbqyU",
  "permissions": []
}

I have assigned the permission to the user:

How do I get my custom scopes/permissions into the access token sent from Okta?

I see the authorize request does include the custom scopes:

https://dev-11895766.okta.com/oauth2/default/v1/authorize?client_id=0oag2l3qnrCNVqJDs5d7&scope=datasets%3Aread%20datasets%3Ascan%20datasets%3Awrite%20email%20models%3Adelete%20models%3Aread%20models%3Awrite%20openid%20profile&response_type=code&redirect_uri=https%3A%2F%2Fbookend-mvp-staging.us.auth0.com%2Flogin%2Fcallback&login_hint=darren%40bookend.ai&response_mode=query&code_challenge=...&code_challenge_method=S256&state=...
1 Like

Hey @darrenk!

I see that there’s an org_id in the access token shared, are the permissions assigned directly to the user or by way of an organization? The following post explains the difference well and why you aren’t seeing any permissions in the permissions claim:

1 Like

That was the problem.
I added the role to the user at the organization level (in Auth0) and it is working now.

The scopes in the IdP (Okta) were not needed.

Thanks for your help!
-Darren

1 Like

Ah, great! Thanks for confirming :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.