Removing 'openid','profile' scopes from access token

aswin.v · April 18, 2018, 7:04pm

Hi guys,
I have set up a rule wherein the scopes ‘openid’ and ‘profile’ are filtered out from the issued access token scope.I am adding some custom permissions to the scope.

 var permissions = user.permissions || [];
  var requestedScopes = context.request.body.scope || context.request.query.scope;
  var filteredScopes = requestedScopes.split(' ').filter( function(x) {
    return x.indexOf(':') < 0 && x!=='openid' && x!=='profile';
  });
  Array.prototype.push.apply(filteredScopes, permissions);
  context.accessToken.scope = filteredScopes.join(' ');

  callback(null, user, context);

However the scopes “openid” and “profile” are not getting removed from the issued access token.
I tried debugging but the console is not accessible for some reason.

Appreciate any help
Regards
Aswin

aswin.v · April 19, 2018, 1:05pm

Update:Managed to get it working, I think the rule took some time to apply. But there is something strange happening when I filter out (remove) the profile from access Token scope. The returned ID token does not contain profile information.So for now just filtering out openid scope from access token. So to ask:

I have a SPA+API setup i.e implicit grant flow.

The scopes “profile” is used for returning the claims as defined in 5.4 of openid-connect-core-1_0 spec.If I remove the “profile” scope for access token in the rule pipeline does it affect ID token (no profiles returned)?

konrad.sopala · August 16, 2019, 9:55am

Hey there!

Sorry for such delay in response! We’re doing our best in providing the best developer support experience out there but sometimes with all the incoming questions, it’s just not possible. Sorry for the inconvenience!

Do you still require further assistance?

konrad.sopala · August 19, 2019, 8:53am