When refreshing an access token, the originally granted scopes is nowhere to be found when a rule or action is executed. We have some logic in auth0 rules adding som data to the access token if a custom scope is provided in the request body, and are now trying to add refresh tokens to our application.
I am using the auth0 express-openid-connect middleware, and could pass the scopes to the refresh request. But omitting the scopes in the refresh request should result in it being treated as equal to the scope originally granted by the resource owner.
Should I have to resend the scopes in the request for refreshing my access token in order to see them within a rule or action?
If I’m understanding correctly the contents on the Access Token are the same in the token returned, however you’re unable to access any custom scopes added via extensibility previously? A bit of a tricky situation here, but I believe adding custom props on the silent auth may be the only option to pick up in a rule/action: