Auth0 Home Blog Docs

OIDC Claims and Scope Values and Management API Access

scopes

#1

Hi *,

I am sorry to say but I can not figure out, how to use correctly claims and its corresponding scopes. I am working for a larger enterprise where we would like to test if auth0 functionality is sufficient enough to replace our current identity system and migrate those users.

According to the OIDC specification, a client and a user can request authentication with specific scopes (and / or custom scopes) which are inside the corresponding claims (which seems to be api on auth0 side).

BUT: How do I set the value of those scopes in the user information??? (see: https://nat.sakimura.org/2012/01/26/scopes-and-claims-in-openid-connect/)

AND: How is it set for the Auth0 Management API, simply having read access to a scope makes any user FULL ADMIN? Is that really correct?

Would be glad if someone could help me out of my understanding…

Best regards

Benedikt


#2

:wave: @benedikt.wiesnet

I believe what you are referring to is explained in this document here. But I can give a bit of an overview so yes there are standard claims that are a part of OIDC spec https://auth0.com/docs/scopes/current#standard-claims and then there are custom claims https://auth0.com/docs/scopes/current#custom-claims. With the custom claims we can add those using an Auth Rule. You can see an example here and so that could look something like this:

function (user, context, callback) {
    const namespace = 'https://myapp.example.com/';
    context.idToken[namespace + 'favorite_color'] = user.favorite_color;
    context.idToken[namespace + 'preferred_contact'] = user.user_metadata.preferred_contact;
  callback(null, user, context);
}

You can also find more information about API scopes here which would allow you to define the type of access. There is also our Authorization Extension that allows you more control and managing Groups, Roles, and Permissions. But what would fit for you would depend on your use case. If you wanted to share with us your particular use case I could probably formulate a better response for you. Please feel free to DM me if you prefer!