How to restrict scopes requested by a third-party application

Problem Statement

How can I restrict scopes requested by the user when getting tokens for my API? For example, scopes scope1, scope2, and scope3 are available, but we only want the user to request scope1 and scope2.

Steps to Reproduce

Get an Access Token:

Authorization code flow
I’m trying to specify a scope that I shouldn’t be using

https://YOUR_DOMAIN/authorize?&response_type=code&client_id=YOUR_CLIENTID&redirect_uri=http://jwt.io&scope=scope:3&audience=https://testapi.com
curl --request POST \
  --url 'https://YOUR_DOMAIN/oauth/token'; \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code&client_id=YOUR_CLIENTID&client_secret=YOUR_CLIENT_SECRET&code=CODE_FROM_ABOVE_AUTHOTIZE&redirect_uri=http://jwt.io';

Solution

If you are not enforcing permissions via RBAC on the API, you can force your Auth0 application/client to always request tokens with a specific scope via a rule i.e. scope1 and scope2. Below is the sample script:

function (user, context, callback) {
  
  if (context.clientName === 'My App') {
      context.accessToken.scope = 'scope:1 scope:2';
  }
  
  return callback(null, user, context);
}
1 Like