Problem statement
Step-up authentication scopes not appearing when enabling RBAC.
Symptoms
All API scopes are returned on the Access Token, regardless of what was requested with the scope param in the authentication flow.
Steps to reproduce
For the RBAC disabled case:
- Disable RBAC on an API in the Dashboard.
- Ensure that the application has the password grant type enabled under Advanced Settings.
- Do not request any scopes:
curl --location --request POST 'https://YOUR-TENANT-DOMAIN/oauth/token'; \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=http://auth0.com/oauth/grant-type/password-realm'; \
--data-urlencode 'client_id=YOUR-CLIENT-ID' \
--data-urlencode 'audience=YOUR-API-AUDIENCE' \
--data-urlencode 'username=YOUR-DATABASE-CONNECTION-USERNAME' \
--data-urlencode 'password=YOUR-PASSWORD!' \
--data-urlencode 'scope=' \
--data-urlencode 'client_secret=YOUR-CLIENT-SECRET' \
--data-urlencode 'realm=YOUR-DATABASE-CONNECTION-NAME'
- See that all the API scops are returned on the Access Token.
For the RBAC-enabled case:
- Enable RBAC on an API in the Dashboard.
- Ensure that the application has the password grant type enabled under Advanced Settings.
- Play with requesting scopes and assigning permissions to users:
curl --location --request POST 'https://YOUR-TENANT-DOMAIN/oauth/token'; \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=http://auth0.com/oauth/grant-type/password-realm'; \
--data-urlencode 'client_id=YOUR-CLIENT-ID' \
--data-urlencode 'audience=YOUR-API-AUDIENCE' \
--data-urlencode 'username=YOUR-DATABASE-CONNECTION-USERNAME' \
--data-urlencode 'password=YOUR-PASSWORD!' \
--data-urlencode 'scope=' \
--data-urlencode 'client_secret=YOUR-CLIENT-SECRET' \
--data-urlencode 'realm=YOUR-DATABASE-CONNECTION-NAME'
- See that the API scops returned on the Access Token are the intersection between the requested scopes, scopes assigned to the user, and scopes listed on the API.
Solution
The expected behavior for requesting Custom API scopes on an Acess Token is different for ROPG than other authentication flows.
With ROPG, when you enable RBAC on the API, the authorization server is going to look at
- the permissions listed on the API
- the permissions listed for the user
- the permissions requested
If the scope is present in all three of those locations with RBAC enabled, it’ll get added to the Access Token.
Unlike other flows, with ROPG, the authorization server is going to add all the scopes on the API regardless of what you request, and it doesn’t care what permissions are assigned to the user when RBAC is disabled on the API.