Problem statement
We have several APIs which have granted access to various machine-to-machine applications, along with relevant permissions. If we request a token against such an API for a m2m application that has been granted access to that API, and we do not specify which scopes to include, the access token we get back includes all granted scopes, as expected.
However, if we make the same request, but specify a subset of the granted scopes, we still get back a token with all granted scopes rather than only the requested ones. Why don’t we get back only those scopes that we have requested?
Symptoms
- Make a call to a custom API using the Client Credentials flow:
– Reference: Authorization Code Flow with PKCE. - All scopes are returned, regardless of attempting to request a subset of scopes.
Steps to reproduce
- Make the following Client Credentials Flow request:
curl -sS --request POST \
--url "[https://auth.dev.example.com/oauth/token"](https://auth.dev.example.com/oauth/token)" \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id="abc123def578" \
--data client_secret="**REDACTED**" \
--data scope="read:claims" \
--data audience="api2"
You might expect to get back only the “read:claims” scope that has been specified. But in fact, all of the API scopes will be returned.
Solution
During a client credential flow, the scopes returned will always be the full set of authorized scopes for the M2M app. This holds true, even if you specify a subset of the available scopes.
You will have to use Auth0 Rules to manipulate the scopes that are returned. This can be done through means of manipulating the context.accessToken object:
Unfortunately, this capability is not yet possible in Actions ( correct as of January 2023 )
- Actions Limitations