Issue with getting allowed scopes in token

I am having an issue where when I request a token using OAuth from Postman, the Auth0 Authentication API Debugger, or my own application it will not return the scopes that I request except for standard OIDC/profile ones like profile, email, offline_access.

  • I have confirmed that I am sending the request with my audience (https://<domain>/oauth/token?audience=https%3A%2F%2Fapi.projekter.opsella.com)
  • The API has RBAC enabled.
  • I have also ensured that the users show that they have been assigned permissions, either via role or direct assignment.
  • I’m not using any actions/triggers or any of the (deprecated) rules/hooks.

I am attempting to use the Auth0 organization feature, so maybe there is some config there that I am missing? I’m pretty confident that I have my request setup correctly in postman though I could be wrong. I’m not sure what I’m missing here that would be causing this issue. This was working about a week ago and then while I was doing my development I cleaned up some of the organizations and recreated them and now the scopes stopped showing up.

Hi @kaydenmiller1,

Welcome to the Auth0 Community!

You should be able to get your requested scopes if the login request included your audience.

The organization feature should not interfere with the scopes returned from exchanging a code for an access token.

I recommend reviewing our Call Your API Using the Authorization Code Flow with PKCE documentation as an extra resource.

If you continue having issues, please send me a direct message with your tenant’s name. I can look into this further for you.

Cheers,
Rueben

I have sent you a message as like I mentioned above, I have already included the audience value in the request, and it does not return the expected permissions.

1 Like

I was able to fix the issue by disabling RBAC on the API, deleting all existing permissions and recreating them. A rather annoying bug but that seemed to fix it.

1 Like

Hi @kaydenmiller1,

Thanks for the update!

I’m glad you could resolve the issue, although deleting and recreating all existing permissions caused more overhead.

Let us know if you have any other questions.

Thanks,
Rueben