Identity token does not include scopes when using authorization code flow

When I use the authorization code flow. The returned identity token does not include the requested custom scopes. These scopes are configured for both the api and the user. When using the implicit flow the scopes are included in the returned token.

Does the authorization code flow behave differently in this regard ?
Or perhaps there some error in configuration ?

Any help would be appreciated.

Hi @evansnd,

Welcome to the Community!

Can you show us how you are making the request? Code snippets are great!

Hi, I’m using this library:

https://github.com/manfredsteyer/angular-oauth2-oidc,
My client config looks like this: (obviously I can’t post the real config here)

export const environment = {
production: false,
apiUrl: ‘http://localhost:39560/v1’,
issuer: ‘https://my-domain.auth0.com/’,
baseAddress: ‘http://localhost:4200’,
clientId: ‘theclientid’,

scope: ‘openid profile email myscope’,
responseType: ‘code’,
customQueryParams: {
// Your API’s name
audience: ‘myapiurl’
},
};

The client library is configured to use authorization code flow with PKCE. The problem that we have is that when the authorization code is exchanged, the response that comes back has some problems:

  1. The scope field does not contain the requested custom scope “myscope” which has been added to both the API and the user in the Auth0 dashboard.
  2. The returned access token is not a valid JWT, here is an example access_token=x8IUDEHkXbfRx_6znvao4PDSYsi0ATzf and a full response is below:

{
"access_token": “x8IUDEHkXbfRx_6znvao4PDSYsi0ATzf”,
“id_token”: “eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlJUUTNORE5EUWpWQ09FUXlOVE5GTTBKRVFqSkdSREpHUWtFNE5ERkdRell5TlRNMVJqSTBPQSJ9.eyJuaWNrbmFtZSI6Im5pY2hvbGFzLmV2YW5zIiwibmFtZSI6Im5pY2hvbGFzLmV2YW5zQHNlZWluZ21hY2hpbmVzLmNvbSIsInBpY3R1cmUiOiJodHRwczovL3MuZ3JhdmF0YXIuY29tL2F2YXRhci9kMjIwZDE0MWU0ZWYxNWYzOTk0ZTQ0ZTRhYjczMmE1MT9zPTQ4MCZyPXBnJmQ9aHR0cHMlM0ElMkYlMkZjZG4uYXV0aDAuY29tJTJGYXZhdGFycyUyRm5pLnBuZyIsInVwZGF0ZWRfYXQiOiIyMDIwLTA4LTExVDIyOjI2OjU3LjY3M1oiLCJlbWFpbCI6Im5pY2hvbGFzLmV2YW5zQHNlZWluZ21hY2hpbmVzLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJpc3MiOiJodHRwczovL2Rldi1ndWFyZGlhbmxpdmUuYXUuYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDVlNTM1YTNiYzEyNDQzMGNlOTIzODU1ZCIsImF1ZCI6Ilg2OXp6bndNVXJYQnpNeVNBTzFoQmFmMEpwWGlxcXNVIiwiaWF0IjoxNTk3MTg0ODIwLCJleHAiOjE1OTcyMjA4MjAsIm5vbmNlIjoiVUUxb1ExSlpjMmx0YUVoQmVTNTRkRkpRUlZsbmR5MVRjamRNWlZaeGJHdEtVR05qUXpsaWVWZHdSRTAyIn0.i8KlZoPoyIGbNI3HvlTGf0_i2AD-owchiTE4Xi2oR60DhlPr2lQSoL6nXke1uf0o8iqSlSCSPXew5qivlMgqyMY9cjXmjXrP2RWz7LGj7qaNcGDooSDnCCDzOHKeu5fZXq7SBDfoVMFMdJjqjOgwuk1gHT3vIb_fucevnt80rerrYIZccSU-G5AFk_PPjqPDPRrVLn_a3DiuixTjgovMDumC0ii7rP2MxPuzZMvHv9etTg5MB2KthfwyZEOqwca0IGHWtg0h1-pVj1NvNVT2BuTHPv3aYg1muFJuLz2Pn7tUmng4tBci6qvmo5r3p0Czc7PkTUWyTq16mnPrhCaU3g”,
"scope": “openid profile email”,
“expires_in”: 86400,
“token_type”: “Bearer”
}

The same client side code (obviously with config values changed ) works with identity server , Okta and AWS cognito but doesn’t work with Auth0.

Hi @evansnd

See this page: https://auth0.com/docs/scopes/sample-use-cases-scopes-and-claims#request-custom-api-access
You probably need to define the scope. You’ll also need to specify the audience (and that is why the access token is not a valid JWT).

You might consider switching to Auth0’s Quickstart for Angular.

John

1 Like

Thanks @john.gateley!

In addition, your access token is opaque. See this FAQ for more info:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.