Auth0 Home Blog Docs

Is it possible to create a rule to avoid specifying multiple scopes for authentication requests?



I’m trying to make a rule in Auth0 to avoid specifying multiple scopes for authentication requests.
Basically, I want to specify one scope or provide no scope during authentication and respond with an id_token containing a default subset of the user profile. I found some rule documentation and managed to edit the scope query context.request.query.scope.match(/\S+/g) and also managed to set values into the id_token using context.idToken'my_param] = user.my_param.

Although it works through rule debugging UI, but it does not work when actually trying to authenticate.

Is it possible to accomplish this by making rule or using some other feature of Auth0? If not, is there another workflow we should use?


Yes, that should be possible, the exact details would depend on the endpoints being used. The reason for this is that right now the authentication API can be called in a strict OpenID Connect (OIDC) compliant mode and in a legacy mode that predated that specification in question.

You seem to be using the context.idToken approach which was made available for the OIDC mode which is the recommended mode to use so I’ll assume you be using this instead of the legacy mode for the remainder of my answer.

In this mode you can include arbitrary custom claims to the ID Token through a rule independently of the scope requested (your rule can still check the requested scope to add conditional logic, but the rule as the final saying). The requirement (documented here) is that you need to namespace your custom claims so that they don’t conflict with the ones defined in the specification, for example:

function (user, context, callback) {
  const namespace = '';
  context.idToken[namespace + 'favorite_color'] = user.favorite_color;

  callback(null, user, context);


If you want to ensure that you’re indeed making use of the OIDC mode check this section.