We are creating staging environments, and while replicating our dev environment (with corresponding Auth0 tenant) we noticed that requested scopes were not being present in the JWT (as in our dev env). We’ve done research into why this is happening and can’t find a cause. RBAC is enabled, user has the requested permission, but the scope in the access token does not include it. Any ideas of what could be missing? Thanks beforehand!
Update: we have a react single page application (using Auth0 SDK) and this works fine (e.g. access token has required scopes) in development mode. When building though (using yarn), getAccessTokenSilently replies the JWT without the requested scopes (that I am sure the user has). Is there any issues with yarn build and the Auth0 SDK for React? We are serving the single webapp through nginx
I managed to understand the problem. The scopes are a string with spaces in the environment file. We added double quotes to the entry in the env file. In development mode, the quotes are passed as a string. When building though, the quotes are added another quote, so Auth0 is getting the scopes with 3 quotes, something like a quoted string or similar. I suspect this is the reason we are not getting any scopes back. When taking away the quotes on the env file it works fine, but I suppose it’s better to leave the quotes and process to take away extra quotes before sending scopes.
We left the env file variables with quotes (a couple of articles point that is better practice that way) and we are correctly parsing them in our JS code. Thanks for the help!