Identity token does not include scopes when using authorization code flow

evansnd · August 10, 2020, 5:51am

When I use the authorization code flow. The returned identity token does not include the requested custom scopes. These scopes are configured for both the api and the user. When using the implicit flow the scopes are included in the returned token.

Does the authorization code flow behave differently in this regard ?
Or perhaps there some error in configuration ?

Any help would be appreciated.

dan.woda · August 11, 2020, 8:01pm

Hi @evansnd,

Welcome to the Community!

Can you show us how you are making the request? Code snippets are great!

evansnd · August 12, 2020, 7:57am

Hi, I’m using this library:

GitHub - manfredsteyer/angular-oauth2-oidc: Support for OAuth 2 and OpenId Connect (OIDC) in Angular.,
My client config looks like this: (obviously I can’t post the real config here)

export const environment = {
production: false,
apiUrl: ‘http://localhost:39560/v1’,
issuer: ‘https://my-domain.auth0.com/’,
baseAddress: ‘http://localhost:4200’,
clientId: ‘theclientid’,

scope: ‘openid profile email myscope’,
responseType: ‘code’,
customQueryParams: {
// Your API’s name
audience: ‘myapiurl’
},
};

The client library is configured to use authorization code flow with PKCE. The problem that we have is that when the authorization code is exchanged, the response that comes back has some problems:

The scope field does not contain the requested custom scope “myscope” which has been added to both the API and the user in the Auth0 dashboard.
The returned access token is not a valid JWT, here is an example access_token=x8IUDEHkXbfRx_6znvao4PDSYsi0ATzf and a full response is below:

{
“access_token”: “x8IUDEHkXbfRx_6znvao4PDSYsi0ATzf”,
“id_token”: “eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlJUUTNORE5EUWpWQ09FUXlOVE5GTTBKRVFqSkdSREpHUWtFNE5ERkdRell5TlRNMVJqSTBPQSJ9.eyJuaWNrbmFtZSI6Im5pY2hvbGFzLmV2YW5zIiwibmFtZSI6Im5pY2hvbGFzLmV2YW5zQHNlZWluZ21hY2hpbmVzLmNvbSIsInBpY3R1cmUiOiJodHRwczovL3MuZ3JhdmF0YXIuY29tL2F2YXRhci9kMjIwZDE0MWU0ZWYxNWYzOTk0ZTQ0ZTRhYjczMmE1MT9zPTQ4MCZyPXBnJmQ9aHR0cHMlM0ElMkYlMkZjZG4uYXV0aDAuY29tJTJGYXZhdGFycyUyRm5pLnBuZyIsInVwZGF0ZWRfYXQiOiIyMDIwLTA4LTExVDIyOjI2OjU3LjY3M1oiLCJlbWFpbCI6Im5pY2hvbGFzLmV2YW5zQHNlZWluZ21hY2hpbmVzLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJpc3MiOiJodHRwczovL2Rldi1ndWFyZGlhbmxpdmUuYXUuYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDVlNTM1YTNiYzEyNDQzMGNlOTIzODU1ZCIsImF1ZCI6Ilg2OXp6bndNVXJYQnpNeVNBTzFoQmFmMEpwWGlxcXNVIiwiaWF0IjoxNTk3MTg0ODIwLCJleHAiOjE1OTcyMjA4MjAsIm5vbmNlIjoiVUUxb1ExSlpjMmx0YUVoQmVTNTRkRkpRUlZsbmR5MVRjamRNWlZaeGJHdEtVR05qUXpsaWVWZHdSRTAyIn0.i8KlZoPoyIGbNI3HvlTGf0_i2AD-owchiTE4Xi2oR60DhlPr2lQSoL6nXke1uf0o8iqSlSCSPXew5qivlMgqyMY9cjXmjXrP2RWz7LGj7qaNcGDooSDnCCDzOHKeu5fZXq7SBDfoVMFMdJjqjOgwuk1gHT3vIb_fucevnt80rerrYIZccSU-G5AFk_PPjqPDPRrVLn_a3DiuixTjgovMDumC0ii7rP2MxPuzZMvHv9etTg5MB2KthfwyZEOqwca0IGHWtg0h1-pVj1NvNVT2BuTHPv3aYg1muFJuLz2Pn7tUmng4tBci6qvmo5r3p0Czc7PkTUWyTq16mnPrhCaU3g”,
“scope”: “openid profile email”,
“expires_in”: 86400,
“token_type”: “Bearer”
}

The same client side code (obviously with config values changed ) works with identity server , Okta and AWS cognito but doesn’t work with Auth0.

john.gateley · August 12, 2020, 3:04pm

Hi @evansnd

See this page: Sample Use Cases: Scopes and Claims
You probably need to define the scope. You’ll also need to specify the audience (and that is why the access token is not a valid JWT).

You might consider switching to Auth0’s Quickstart for Angular.

John

dan.woda · August 12, 2020, 6:00pm

Thanks @john.gateley!

In addition, your access token is opaque. See this FAQ for more info:

system · September 21, 2020, 3:53pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.