I am migrating my application from identity server to support Auth0. I can’t find how can I define client’s available scopes and every time when user tries to login validate whether that client application has access to scopes which it requests.
E.g. I want to define “client1” which has allowed scope “scope1” and an api “api1” which has “scope1” permission. User provides its login/password, client credentials, api identifier “api1” and requested scope “scope1”.
We need somehow check whether that client application has access to “scope1”. It it has then it can get access token to consume “api1” otherwise it doesn’t have permission to that scope.
Now application can get every scopes that the “api1” defined.
Hi @enam - welcome to the Auth0 community!
Auth0 has built-in support through our Authorization Core feature (https://auth0.com/docs/authorization/how-to-use-auth0s-core-authorization-feature-set ) to restrict the scopes returned based on the user that is performing the authentication .
There is support for restricting scopes based on client application, but only in client credentials flows where it’s the client itself that authenticates (no end-user).
There is a similar community post discussion on this topic that you might helpful - Is it possible to restrict the scopes available to a SPA.
1 Like
We are here for you!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.