The article explains an IdP-initiated SAML flow where
/userinfo returns an empty response.
Using localhost/unverified domain in the callback URL.
In an IdP-initiated flow, Auth0 servers strip scopes inside a token if the callback URL is an unverified domain. When using an unverified domain for testing, like
localhost , as the callback URL, tokens from the
/userinfo endpoint return an empty response.
To get a token response with requested scopes, use a verified domain in the callback URL instead of