Jwt missing scope

g.padres · February 3, 2022, 7:49am

Hi,

We are creating staging environments, and while replicating our dev environment (with corresponding Auth0 tenant) we noticed that requested scopes were not being present in the JWT (as in our dev env). We’ve done research into why this is happening and can’t find a cause. RBAC is enabled, user has the requested permission, but the scope in the access token does not include it. Any ideas of what could be missing? Thanks beforehand!

/Guillermo

g.padres · February 3, 2022, 9:57pm

Update: we have a react single page application (using Auth0 SDK) and this works fine (e.g. access token has required scopes) in development mode. When building though (using yarn), getAccessTokenSilently replies the JWT without the requested scopes (that I am sure the user has). Is there any issues with yarn build and the Auth0 SDK for React? We are serving the single webapp through nginx

dan.woda · February 3, 2022, 10:05pm

Hi @g.padres,

Are you seeing a permissions array in the access token? If not, can you give us an example of the Access Token you are seeing?

Helpful tip: replying to your own support topic removes it from our unanswered queue.

g.padres · February 3, 2022, 11:17pm

Hi Dan,

I managed to understand the problem. The scopes are a string with spaces in the environment file. We added double quotes to the entry in the env file. In development mode, the quotes are passed as a string. When building though, the quotes are added another quote, so Auth0 is getting the scopes with 3 quotes, something like a quoted string or similar. I suspect this is the reason we are not getting any scopes back. When taking away the quotes on the env file it works fine, but I suppose it’s better to leave the quotes and process to take away extra quotes before sending scopes.

Thoughts?

dan.woda · February 3, 2022, 11:18pm

Do you have an example?

g.padres · February 3, 2022, 11:22pm

in env file

REACT_APP_AUTH0_SCOPE="admin user"

In react, scopes variable that serves as input to initialize Auth0 provider:

const scopes = process.env.REACT_APP_AUTH0_SCOPE;

Digging through the built js files, I found the following lines:

REACT_APP_AUTH0_SCOPE:'"admin user"'

dan.woda · February 3, 2022, 11:49pm

I don’t think .env files typically include quotes for strings. You could also do as we do in our examples and use an auth_config.json file.

g.padres · February 4, 2022, 12:56pm

We left the env file variables with quotes (a couple of articles point that is better practice that way) and we are correctly parsing them in our JS code. Thanks for the help!

dan.woda · February 4, 2022, 9:13pm

Great. Thanks for following up with your solution!

system · February 19, 2022, 9:13pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auth0 JWT doesn't have requested API Scopes Help jwt , scopes	10	4399	September 4, 2021
Restrict access to React app with RBAC Scopes JWT.io jwt , auth0 , react	0	2133	September 16, 2022
Adding Scopes to Access Token created for React app Help management-api , roles	4	1795	December 17, 2023
Confused: Permissions are not part of Scopes in JWT token Help jwt	3	4133	March 5, 2021
Insufficient Scope but my token contains required permissions JWT.io jwt , scope	11	12934	November 30, 2022

Jwt missing scope

Related Topics