OIDC Discovery Document Customization

I’m a developer working on integrating authentication with auth0, and am using some OpenID Connect schemes and patterns in my code. Particularly, I am pulling the OIDC discovery document that is hosted by auth0, and validating that my application is configured correctly, according to what this document provides. My application is using a custom scope, let’s say “foo”, however that scope does not appear in the list of supported scoped by the .well-known/openid-configuration file and therefore fails my validation where my configuration is cross referenced with the document.

Is there a way to be able to customize that document in my auth0 tenant such that this validation may succeed? I’ve looked and can only seem to find documentation how to use other providers’ OIDC discovery document in my auth0 app, but not how best to consume and customize my auth0 tenant’s document

Hi @adambullmerltk

Welcome to Auth0 Community !!!

.well-known/openid-configuration is an open id standard URL exposed by Authorization server (Auth0) to validate JWT token against standard claims. This URL exposes standard scopes and not the custom scopes such as foo. Custom scopes get validated on resource server side by a piece of code you write using a library or SDK. May I ask:

  • Which SDK or library you are using in your application ?
  • What error you are getting when validation fails ?

Thank you
Jeff

1 Like

Which SDK or library are you using in your application

the library in question is nuxt-auth specifically their OIDC scheme. It will pull the oidc configuration, and validate that config against the configuration of the authentication method to validate that client app is setup correctly

What error you are getting when validation fails ?

The error is that my app is configured to request a custom scope, and the validation ensuring that the client isn’t misconfigured fails on scope validation as foo isn’t returned from the openid configuration document, but configured to be requested in my client. Said another way it checks that the array of scopes scopes the app is going to request completely overlaps with the array of scopes returned from the openid configuration document, and any missing scopes is determined to be client configuration error as that scope doesn’t exist.

I think it would be really helpful if there were a way to do any of

  • always expose custom scopes on the config document
  • allow turning on/off exposing custom scopes through the openid configuration file
  • allow uploading your own config file

any of those should would allow discovery to validate that custom scopes are not a configuration error

Hi @adambullmerltk

To troubleshoot this further I would need :

  1. Your company and tenant name
  2. Sample of claims inside your access and id token. Do not paste access and id token here. All I need is claim inside it. May be you can share a google doc we can collaborate on ?

Thank you
Jeff