How to add default custom scopes in password/authorization code grant?


Is it possible to add custom default scopes while issuing token with password/authorization code grant flow?

I was reading through auth0 docs and it looks like this is supported only in client credentials grant flow.
And for rest of the flow, we either have to assign roles/permissions to users to get these scopes. I understand the reasoning behind it but just to keep our system in parity with old system, we were exploring if there;s any way we can add default scopes in access token?

For example, add custom login in post login action to include appropriate scopes.

Hey there @kpritam!

I believe TOKEN_DIALECT may be what you are after here - Please see the following post which outlines it’s use:

Hope this helps!

Hi @tyf , seems like that is exactly what I am looking for.
But I am not able to find Token Dialect option anywhere. Can you please point me where that setting is present in the dashboard? I looked at the Authentication/APIs section but couldn’t find it.

1 Like

Seems like I need to use Management API to set the token dialect. I will have to do this in Post registration action (Social logins might not be supported) or Post Login action (Also refresh the token)

My use case at the moment is -

  1. If request contains scopes, then just return same in the jwt
  2. If request does not contains any scope, then return default scopes in the jwt

Note: This is just to keep parity with legacy system from where we are migrating to auth0.

I have come up with this Post Login Action, @tyf do you see any issues with this?:

const namespace = '';
const scpClaimKey = `${namespace}/scp`
const userIdClaimKey = `${namespace}/user_id`
const defaultClaims = ["withdraw:rw", "deposit:rw"]

*Handler that will be called during the execution of a PostLogin flow.
,*@param {Event} event - Details about the user and the context in which they are logging in.
,*@param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
exports.onExecutePostLogin = async (event, api) => {
  const scope = event.request.query.scope ? event.request.query.scope : event.request.body.scope;
  addScope(api, scope);
  api.accessToken.setCustomClaim(userIdClaimKey, event.user.user_id);

,*Add custom claims to the access token
,*@param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
,*@param {string} scope - scope field from the request body or query param.
function addScope(api, scope) {
  if (scope === undefined || scope === null ||  scope === "") {
      api.accessToken.setCustomClaim(scpClaimKey, defaultClaims);
  else {
    api.accessToken.setCustomClaim(scpClaimKey, scope.split(" "));
1 Like

You will need to set TOKEN_DIALECT using the Management API - Social Logins will only work with a Post Login Action - Regarding the Action code, without testing anything it looks OK to me! Please do update us here on how this works out for you if you find the time :smile:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.