Removing 'openid','profile' scopes from access token

aswin.v · 2018-04-18 19:04:57 UTC

Hi guys,
I have set up a rule wherein the scopes ‘openid’ and ‘profile’ are filtered out from the issued access token scope.I am adding some custom permissions to the scope.

 var permissions = user.permissions || [];
  var requestedScopes = context.request.body.scope || context.request.query.scope;
  var filteredScopes = requestedScopes.split(' ').filter( function(x) {
    return x.indexOf(':') < 0 && x!=='openid' && x!=='profile';
  });
  Array.prototype.push.apply(filteredScopes, permissions);
  context.accessToken.scope = filteredScopes.join(' ');

  callback(null, user, context);

However the scopes “openid” and “profile” are not getting removed from the issued access token.
I tried debugging but the console is not accessible for some reason.

Appreciate any help
Regards
Aswin

aswin.v · 2018-04-18 20:17:50 UTC

Update:Managed to get it working, I think the rule took some time to apply. But there is something strange happening when I filter out (remove) the profile from access Token scope. The returned ID token does not contain profile information.So for now just filtering out openid scope from access token. So to ask:

I have a SPA+API setup i.e implicit grant flow.

The scopes “profile” is used for returning the claims as defined in 5.4 of openid-connect-core-1_0 spec.If I remove the “profile” scope for access token in the rule pipeline does it affect ID token (no profiles returned)?