Flow: Password. Always receive all Scopes when User didin't have Permissions and Rôles

msavard · September 21, 2020, 4:03pm

Hi,
I create my test unit and for test not Authorization User, I create a new User in Auth0 without Role. But when I run my test, the “Success Exchange” send all Scope value for my Application and not the Scope from User

My Log
Type: Success Exchange
Description: Password for Access Token
Connection: Username-Password-Authentication

{
“date”: “2020-09-21T15:56:32.382Z”,
“type”: “sepft”,
“description”: “Password for Access Token”,
“connection”: “Username-Password-Authentication”,
“connection_id”: “",
“client_id”: "”,
“client_name”: “",
“ip”: "”,
“client_ip”: “",
“user_agent”: “Other 0.0.0 / Other 0.0.0”,
“user_id”: "auth0|”,
“user_name”: “jenkinnotnauthorized@",
“audience”: "”,
“scope”: “write:App read:App write:Service read:Service”,
“log_id”: “",
“_id”: "”,
“isMobile”: false
}

In my C# Code, my API Header
[HttpGet]
[Route(“serverActions”)]
[Authorize(AuthenticationSchemes = “Bearer”, Policy = “read:Service”)]

jmangelo · September 22, 2020, 10:49am

Unless someone recently experienced the same exact issue it may be complex to provide you with a definitive answer with the information available. Is it possible for you to share a client identifier and tenant name or at least the tenant region for which you are performing this test?

msavard · September 22, 2020, 11:30am

Yes no problem, it’s my test account
My Profile: msavard@d-box.com
Domain: dev-dhh2j9fp.us.auth0.com
Region: US - Free

My User with all Roles: jenkin@d-box.com
My user with no Role: jenkinnotnauthorized@d-box.com

Both in history have a scope with all Permissions and are able to call all my Authorize C# API fonction with specific policy

msavard · September 23, 2020, 10:55am

I solve with Rule, but isn’t normal this bug

function (user, context, callback) {
var map = require(‘array-map’);
var ManagementClient = require(‘auth0@2.17.0’).ManagementClient;
var management = new ManagementClient({
token: auth0.accessToken,
domain: auth0.domain
});
var params = { id: user.user_id};
management.getUserPermissions(params, function (err, permissions) {
var permissionNames = ;
permissions.forEach(function(obj) { permissionNames.push(obj.permission_name); });
context.accessToken.scope = permissionNames.join(’ ');
callback(null, user, context);
});
}

jmangelo · September 23, 2020, 2:33pm

I did not had the opportunity to review this today using the additional information you shared. I expect to be able to do it tomorrow, and yes, I would agree with you that this does not look normal.