Problem statement
The article explains an IdP-initiated SAML flow where /userinfo returns an empty response.
Symptoms
Using localhost/unverified domain in the callback URL.
Cause
In an IdP-initiated flow, Auth0 servers strip scopes inside a token if the callback URL is an unverified domain. When using an unverified domain for testing, like localhost , as the callback URL, tokens from the /userinfo endpoint return an empty response.
Solution
To get a token response with requested scopes, use a verified domain in the callback URL instead of localhost .