Query about invoking gettiingaccessTokenSilently() with limited scopes

Hi Auth0 Team,

I have a react app that makes remote api calls. all are running on my laptop. I have an set up and api on auth0 with multiple permissions. Let’s call them p1 and p2 for the sake of this discussion. When I want to invoke an endpoint on my backend that requires only p1, can I invoke getAccessTokenSilently with a scope of ‘p1’? In fact, I did so and the token still had both p1 and p2 in the scope. I was expecting it to have ‘p1’ only. since security is all about principle of least privilege. Am I missing something here? was I wrong to expect only P1 to show up in the token in the first place? BTW, I am not running into consent related issue here. something that was discussed in this thread.

thank you.
Prasad

Hi Prasad,

Could you please share some code snippets showing your Provider setup and getAccessTokenSilently invocation? Please redact anything sensitive before sharing it here

2 Likes

Hi Steve,

here’s the snippet of the code I tried using unsuccessfully:

==
const token = await getAccessTokenSilently(
{
audience,
scope: “view:order”
}
);

==
<Auth0Provider
domain={domain}
clientId={client_id}
audience={audience}
redirectUri={window.location.origin}

  <App />

,

==

The user has perrmissions to create:order, delete:order and view:order. However, for viewing the order, I wanted the token to have only “view:order” permissions, based purely on the principle of minimalism. Hope this helps. I dont have the code on github yet.

Thank you.
Prasad

Hi @praskatti, are you referring to the permissions array within the token, or what scopes are present in the token?

If it’s the former, this is due to a toggle in the API settings, which will append the user’s full list of permissions regardless of the scopes requested. You can disable this and is mentioned here in point 3:

If you mean the scopes returned in the token, any scopes you specify in the getAccessTokenSilently call will be appended to the set of scopes set in the Auth0Provider's scope, which defaults to “openid profile email” if no scope is specified in the provider.

1 Like

Thanks Steve, Will check and post an update.

1 Like

Steve,
I went back make the changes as suggested by the post. however, could not get it working.

I tried to parse this particular suggestion:

==
. When RBAC is disabled, the default behavior is observed; an application can request any permission defined for the API, and the scope claim will include all requested permissions

It does not include the permissions in the scope. Is there some working version of this on the github?

thank you.
Prasad

Heya @praskatti , provided your user has had the permissions applied to their user account, directly or through roles that contain the required permissions, and you are specifying the correct audience for the scope’s parent API in your /authorize call it should be showing in the access token.
The react app quickstart here shows a getAccessTokenSilently call in action and you can download the example from GitHub to try out against your own tenant and audience.

Please note though if you are trying to get scopes for the Management API, this is very limited for SPAs and only certain scopes can be requested:

1 Like

Hi Steve,
Thank you. If I have a complex app and need to deal with fine grained permissions for my 50 odd micro services, will then have specify 50 scopes while using the Auth0Provider? surely there can be a more elegant way of handling this scenario.

thank you.

Hi @praskatti ,

You’d want to set the commonly used scopes in the Auth0Provider, and add additional scopes as and when required using the getAccessTokenSilently to fetch new tokens with the relevant permissions.

There’s some previous community questions here on this topic which may help you:

You may also want to review this blog article:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.