Query about invoking gettiingaccessTokenSilently() with limited scopes

Hi Auth0 Team,

I have a react app that makes remote api calls. all are running on my laptop. I have an set up and api on auth0 with multiple permissions. Let’s call them p1 and p2 for the sake of this discussion. When I want to invoke an endpoint on my backend that requires only p1, can I invoke getAccessTokenSilently with a scope of ‘p1’? In fact, I did so and the token still had both p1 and p2 in the scope. I was expecting it to have ‘p1’ only. since security is all about principle of least privilege. Am I missing something here? was I wrong to expect only P1 to show up in the token in the first place? BTW, I am not running into consent related issue here. something that was discussed in this thread.

thank you.
Prasad

Hi Prasad,

Could you please share some code snippets showing your Provider setup and getAccessTokenSilently invocation? Please redact anything sensitive before sharing it here

2 Likes

Hi Steve,

here’s the snippet of the code I tried using unsuccessfully:

==
const token = await getAccessTokenSilently(
{
audience,
scope: “view:order”
}
);

==
<Auth0Provider
domain={domain}
clientId={client_id}
audience={audience}
redirectUri={window.location.origin}

  <App />

,

==

The user has perrmissions to create:order, delete:order and view:order. However, for viewing the order, I wanted the token to have only “view:order” permissions, based purely on the principle of minimalism. Hope this helps. I dont have the code on github yet.

Thank you.
Prasad