How to restrict scopes requested by a third-party application

lihua.zhang · November 10, 2022, 9:07pm

Problem Statement

How can I restrict scopes requested by the user when getting tokens for my API? For example, scopes scope1, scope2, and scope3 are available, but we only want the user to request scope1 and scope2.

Steps to Reproduce

Get an Access Token:

Authorization code flow
I’m trying to specify a scope that I shouldn’t be using

https://YOUR_DOMAIN/authorize?&response_type=code&client_id=YOUR_CLIENTID&redirect_uri=http://jwt.io&scope=scope:3&audience=https://testapi.com

curl --request POST \
  --url 'https://YOUR_DOMAIN/oauth/token'; \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code&client_id=YOUR_CLIENTID&client_secret=YOUR_CLIENT_SECRET&code=CODE_FROM_ABOVE_AUTHOTIZE&redirect_uri=http://jwt.io';

Solution

If you are not enforcing permissions via RBAC on the API, you can force your Auth0 application/client to always request tokens with a specific scope via a rule i.e. scope1 and scope2. Below is the sample script:

function (user, context, callback) {
  
  if (context.clientName === 'My App') {
      context.accessToken.scope = 'scope:1 scope:2';
  }
  
  return callback(null, user, context);
}

Topic		Replies	Views
How do I restrict scopes in auth_token based on user profile? Help rules , scopes , access_token , access-token , jwtconfiguration	2	5008	March 2, 2018
How can I restrict scopes a Client can use without duplicating APIs (ressource servers) ? Help authentication_api , scopes	4	4857	March 2, 2018
Is it possible to restrict the scopes available to a SPA Help scopes , spa	6	5482	February 6, 2023
Auth0 JWT doesn't have requested API Scopes Help jwt , scopes	10	4413	September 4, 2021
How to assign custom scopes to users? Help users , scopes , api-authorization	6	14750	December 7, 2020

How to restrict scopes requested by a third-party application

Problem Statement

Steps to Reproduce

Solution

Related Topics