I have a react app that makes remote api calls. all are running on my laptop. I have an set up and api on auth0 with multiple permissions. Let’s call them p1 and p2 for the sake of this discussion. When I want to invoke an endpoint on my backend that requires only p1, can I invoke getAccessTokenSilently with a scope of ‘p1’? In fact, I did so and the token still had both p1 and p2 in the scope. I was expecting it to have ‘p1’ only. since security is all about principle of least privilege. Am I missing something here? was I wrong to expect only P1 to show up in the token in the first place? BTW, I am not running into consent related issue here. something that was discussed in this thread.
The user has perrmissions to create:order, delete:order and view:order. However, for viewing the order, I wanted the token to have only “view:order” permissions, based purely on the principle of minimalism. Hope this helps. I dont have the code on github yet.
Hi @praskatti, are you referring to the permissions array within the token, or what scopes are present in the token?
If it’s the former, this is due to a toggle in the API settings, which will append the user’s full list of permissions regardless of the scopes requested. You can disable this and is mentioned here in point 3:
If you mean the scopes returned in the token, any scopes you specify in the getAccessTokenSilently call will be appended to the set of scopes set in the Auth0Provider's scope, which defaults to “openid profile email” if no scope is specified in the provider.
Heya @praskatti , provided your user has had the permissions applied to their user account, directly or through roles that contain the required permissions, and you are specifying the correct audience for the scope’s parent API in your /authorize call it should be showing in the access token.
The react app quickstart here shows a getAccessTokenSilently call in action and you can download the example from GitHub to try out against your own tenant and audience.
Please note though if you are trying to get scopes for the Management API, this is very limited for SPAs and only certain scopes can be requested:
Thank you. If I have a complex app and need to deal with fine grained permissions for my 50 odd micro services, will then have specify 50 scopes while using the Auth0Provider? surely there can be a more elegant way of handling this scenario.