Does 'scope:' do anything when using Client Credentials?

Using node-auth0 with Client Credentials grant type:

Looking for some insight… my guess is this is b/c I am using the CC grant type so the following parms don’t matter:

In the following code snippet, scope: does not seem to do anything. I have functions for getting the configuration of my tenant, applications, and rules. Having scope: 'read:users' does not prevent my “get tenant”, “get application”, etc. functions from working. Removing scope: altogether likewise has no effect on functionality. In the API, I have enabled read: scopes for these objects. I assume enabling the scopes in the API is all that matters.

Similarly, audience has no effect. Removing it does not change the functionality of my CLI.

    return new ManagementClient({
        domain: process.env.AUTH0_DOMAIN,
        clientId: process.env.AUTH0_CLIENT_ID,
        clientSecret: process.env.AUTH0_CLIENT_SECRET,
        audience: 'https://' + process.env.AUTH0_DOMAIN + '/api/v2/',
        scope: 'read:users'
      });

The scope parameter is ignored on the client credentials grant (see Client credentials request ignores scope parameter? for a discussion on this).

As for the audience, the ManagementClient defaults to the regular API v2 audience (https://{your_auth0_domain}/api/v2/) based on the domain configured:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.