I’m making the following request:
{{baseUrl}}/oauth/token
{
"grant_type": "http://auth0.com/oauth/grant-type/password-realm",
"realm": "{{realm}}",
"username": "{{username}}",
"password": "{{password}}",
"audience": "{{apiIdentifier}}",
"scope": "",
"client_id": "{{clientId}}"
}
Note that the value of the scope field is empty, in which case the response includes all scopes configured for my API. However, if I make the value of the scope field a specific scope, then the response is completely missing the entire scope field.
The docs here indicate that what I’m trying to do should work. I have no rules running in this scenario.
Password grant and standard scopes
If no API scopes (such as read:notes) are included in the request, all API scopes (such as read:notes, create:notes, and so on.) are included in the access_token. If only the openid scope is included in the request, all openid standard scopes will be returned, such as openid profile email address phone. In these cases, the scope parameter will be included in the response, listing the issued scopes. This happens because a password is equal to full access and hence any password-based exchange gives access to all scopes.