Jwt missing scope


We are creating staging environments, and while replicating our dev environment (with corresponding Auth0 tenant) we noticed that requested scopes were not being present in the JWT (as in our dev env). We’ve done research into why this is happening and can’t find a cause. RBAC is enabled, user has the requested permission, but the scope in the access token does not include it. Any ideas of what could be missing? Thanks beforehand!


Update: we have a react single page application (using Auth0 SDK) and this works fine (e.g. access token has required scopes) in development mode. When building though (using yarn), getAccessTokenSilently replies the JWT without the requested scopes (that I am sure the user has). Is there any issues with yarn build and the Auth0 SDK for React? We are serving the single webapp through nginx

Hi @g.padres,

Are you seeing a permissions array in the access token? If not, can you give us an example of the Access Token you are seeing?

Helpful tip: replying to your own support topic removes it from our unanswered queue.

Hi Dan,

I managed to understand the problem. The scopes are a string with spaces in the environment file. We added double quotes to the entry in the env file. In development mode, the quotes are passed as a string. When building though, the quotes are added another quote, so Auth0 is getting the scopes with 3 quotes, something like a quoted string or similar. I suspect this is the reason we are not getting any scopes back. When taking away the quotes on the env file it works fine, but I suppose it’s better to leave the quotes and process to take away extra quotes before sending scopes.


Do you have an example?

in env file

REACT_APP_AUTH0_SCOPE="admin user"

In react, scopes variable that serves as input to initialize Auth0 provider:

const scopes = process.env.REACT_APP_AUTH0_SCOPE;

Digging through the built js files, I found the following lines:

REACT_APP_AUTH0_SCOPE:'"admin user"'

I don’t think .env files typically include quotes for strings. You could also do as we do in our examples and use an auth_config.json file.

We left the env file variables with quotes (a couple of articles point that is better practice that way) and we are correctly parsing them in our JS code. Thanks for the help!

1 Like

Great. Thanks for following up with your solution!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.