Problem Statement
How can I restrict scopes requested by the user when getting tokens for my API? For example, scopes scope1, scope2, and scope3 are available, but we only want the user to request scope1 and scope2.
Steps to Reproduce
Get an Access Token:
Authorization code flow
I’m trying to specify a scope that I shouldn’t be using
https://YOUR_DOMAIN/authorize?&response_type=code&client_id=YOUR_CLIENTID&redirect_uri=http://jwt.io&scope=scope:3&audience=https://testapi.com
curl --request POST \
--url 'https://YOUR_DOMAIN/oauth/token'; \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=authorization_code&client_id=YOUR_CLIENTID&client_secret=YOUR_CLIENT_SECRET&code=CODE_FROM_ABOVE_AUTHOTIZE&redirect_uri=http://jwt.io';
Solution
If you are not enforcing permissions via RBAC on the API, you can force your Auth0 application/client to always request tokens with a specific scope via a rule i.e. scope1 and scope2. Below is the sample script:
function (user, context, callback) {
if (context.clientName === 'My App') {
context.accessToken.scope = 'scope:1 scope:2';
}
return callback(null, user, context);
}