Custom scopes/permissions not included in access token from Okta IdP

Help
,
1

Hi,
In Auth0 I have configured:

  • A Custom API with 18 permissions.
  • A Next.js client that calls the API.
  • A SPA Auth0 application with an “enterprise connection” to an Okta OIDC IdP.
  • An enterprise connection to an Okta OIDC IdP.
  • The Okta OIDC application.

Login succeeds but the token exchange does not include my custom scopes/permissions in the access token.

OIDC connection in Auth0:

OIDC connection in Auth0
OIDC connection in Auth0908×1023 90.7 KB

Okta scopes:

Okta scopes
Okta scopes535×884 41.8 KB

This is the access token sent to the API:

{
  "iss": "https://bookend-mvp-staging.us.auth0.com/",
  "sub": "oidc|Bookend-Okta-OIDC-SSO|00uezee7dbLsmw0kB5d7",
  "aud": [
    "https://control-plane-pwuhwxrqnq-uc.a.run.app",
    "https://bookend-mvp-staging.us.auth0.com/userinfo"
  ],
  "iat": 1715053960,
  "exp": 1715140360,
  "scope": "openid profile email",
  "org_id": "org_pOdZ283uSzKQpddI",
  "azp": "PmuiEJVHdJVj3xaAqn4z0HCOXDhbbqyU",
  "permissions": []
}

I have assigned the permission to the user:

Screen Shot 2024-05-07 at 11.34.13 AM
Screen Shot 2024-05-07 at 11.34.13 AM820×429 43.9 KB

How do I get my custom scopes/permissions into the access token sent from Okta?

3

I see the authorize request does include the custom scopes:

https://dev-11895766.okta.com/oauth2/default/v1/authorize?client_id=0oag2l3qnrCNVqJDs5d7&scope=datasets%3Aread%20datasets%3Ascan%20datasets%3Awrite%20email%20models%3Adelete%20models%3Aread%20models%3Awrite%20openid%20profile&response_type=code&redirect_uri=https%3A%2F%2Fbookend-mvp-staging.us.auth0.com%2Flogin%2Fcallback&login_hint=darren%40bookend.ai&response_mode=query&code_challenge=...&code_challenge_method=S256&state=...
1 Like
4

Hey @darrenk!

I see that there’s an org_id in the access token shared, are the permissions assigned directly to the user or by way of an organization? The following post explains the difference well and why you aren’t seeing any permissions in the permissions claim:

1 Like
5

That was the problem.
I added the role to the user at the organization level (in Auth0) and it is working now.

The scopes in the IdP (Okta) were not needed.

Thanks for your help!
-Darren

1 Like
6

Ah, great! Thanks for confirming :slight_smile:

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.