I have a react app that makes remote api calls. all are running on my laptop. I have an set up and api on auth0 with multiple permissions. Let’s call them p1 and p2 for the sake of this discussion. When I want to invoke an endpoint on my backend that requires only p1, can I invoke getAccessTokenSilently with a scope of ‘p1’? In fact, I did so and the token still had both p1 and p2 in the scope. I was expecting it to have ‘p1’ only. since security is all about principle of least privilege. Am I missing something here? was I wrong to expect only P1 to show up in the token in the first place? BTW, I am not running into consent related issue here. something that was discussed in this thread.
Could you please share some code snippets showing your Provider setup and getAccessTokenSilently invocation? Please redact anything sensitive before sharing it here
The user has perrmissions to create:order, delete:order and view:order. However, for viewing the order, I wanted the token to have only “view:order” permissions, based purely on the principle of minimalism. Hope this helps. I dont have the code on github yet.
Hi @praskatti, are you referring to the permissions array within the token, or what scopes are present in the token?
If it’s the former, this is due to a toggle in the API settings, which will append the user’s full list of permissions regardless of the scopes requested. You can disable this and is mentioned here in point 3:
If you mean the scopes returned in the token, any scopes you specify in the getAccessTokenSilently call will be appended to the set of scopes set in the Auth0Provider’s scope, which defaults to “openid profile email” if no scope is specified in the provider.
Steve,
I went back make the changes as suggested by the post. however, could not get it working.
I tried to parse this particular suggestion:
==
. When RBAC is disabled, the default behavior is observed; an application can request any permission defined for the API, and the scope claim will include all requested permissions
It does not include the permissions in the scope. Is there some working version of this on the github?
Heya @praskatti , provided your user has had the permissions applied to their user account, directly or through roles that contain the required permissions, and you are specifying the correct audience for the scope’s parent API in your /authorize call it should be showing in the access token.
The react app quickstart here shows a getAccessTokenSilently call in action and you can download the example from GitHub to try out against your own tenant and audience.
Please note though if you are trying to get scopes for the Management API, this is very limited for SPAs and only certain scopes can be requested:
Hi Steve,
Thank you. If I have a complex app and need to deal with fine grained permissions for my 50 odd micro services, will then have specify 50 scopes while using the Auth0Provider? surely there can be a more elegant way of handling this scenario.
You’d want to set the commonly used scopes in the Auth0Provider, and add additional scopes as and when required using the getAccessTokenSilently to fetch new tokens with the relevant permissions.
There’s some previous community questions here on this topic which may help you: