Auth0 Home Blog Docs

Removing 'openid','profile' scopes from access token

rules

#1

Hi guys,
I have set up a rule wherein the scopes ‘openid’ and ‘profile’ are filtered out from the issued access token scope.I am adding some custom permissions to the scope.

 var permissions = user.permissions || [];
  var requestedScopes = context.request.body.scope || context.request.query.scope;
  var filteredScopes = requestedScopes.split(' ').filter( function(x) {
    return x.indexOf(':') < 0 && x!=='openid' && x!=='profile';
  });
  Array.prototype.push.apply(filteredScopes, permissions);
  context.accessToken.scope = filteredScopes.join(' ');

  callback(null, user, context);

However the scopes “openid” and “profile” are not getting removed from the issued access token.
I tried debugging but the console is not accessible for some reason.

Appreciate any help
Regards
Aswin


#2

Update:Managed to get it working, I think the rule took some time to apply. But there is something strange happening when I filter out (remove) the profile from access Token scope. The returned ID token does not contain profile information.So for now just filtering out openid scope from access token. So to ask:

I have a SPA+API setup i.e implicit grant flow.

The scopes “profile” is used for returning the claims as defined in 5.4 of openid-connect-core-1_0 spec.If I remove the “profile” scope for access token in the rule pipeline does it affect ID token (no profiles returned)?