Auth0 Home Blog Docs

Issue with webauth scope



Was able to login using the below code

    realm: 'abc',
    username: '',
    scope: 'openid user',
    password: 'abc'
}, function(err, authResult) {

However the returned result completely ignored the scope specified, returning:

{ accessToken: 'xxxxxxxxxxxx',
  expiresIn: 86400,
  scope: 'openid profile email address phone',
  idToken: 'eyJ0eXAiOiJxxxxxxxxxxxxx',
  tokenType: 'Bearer' }

How to force webAuth to read the scope specified?


The method in question uses the /oauth/token endpoint which will give you a response conforming to OAuth2/OpenID Connect (OIDC). In addition, I’m assuming that you do not have a default audience configured in your account which means the request you’re performing is simply for user authentication (aka you did not include an audience parameter so the access token returned is meant only to access the user info endpoint in accordance to OIDC.

Given the request is for user authentication only (OIDC) the scope you pass is processed in accordance to that specification, more specifically:

  • the openid scope is a requirement of the specifications and serves only to signal that this is indeed a request to be processed under the rules of OIDC;
  • the user scope is not a recognized scope in terms of OIDC and is as such ignored; you can request access to user information/claims through the means of scope when using OIDC, however, you need to use the recognized scope/claims value (see Requesting Claims using Scope Values.

In addition the grant type being used is the resource owner password credentials (ROPC) grant which implies that the client application already has access to the user password so the response scope includes all the standard OIDC scopes since if the application can be trusted to handle the user password it can implicitly be trusted with all user information.