Requesting Access Token Scopes With ROPG (RBAC enabled vs RBAC disabled)

Problem statement

It appears the issued tokens differ when performing ROPG with RBAC enabled vs. with RBAC disabled. What is the difference in behavior when RBAC is enabled or disabled as it pertains to the scopes included in issued tokens?

Symptoms

All API scopes are returned on the Access Token, regardless of what was requested with the scope param in the authentication flow.

Steps to reproduce

For the RBAC disabled case:

  1. Disable RBAC on an API in the Dashboard.
  2. Ensure that the application has the password grant type enabled under Advanced Settings.
  3. Do not request any scopes:
curl --location --request POST 'https://YOUR-TENANT-DOMAIN/oauth/token'; \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=http://auth0.com/oauth/grant-type/password-realm'; \
--data-urlencode 'client_id=YOUR-CLIENT-ID' \
--data-urlencode 'audience=YOUR-API-AUDIENCE' \
--data-urlencode 'username=YOUR-DATABASE-CONNECTION-USERNAME' \
--data-urlencode 'password=YOUR-PASSWORD!' \
--data-urlencode 'scope=' \
--data-urlencode 'client_secret=YOUR-CLIENT-SECRET' \
--data-urlencode 'realm=YOUR-DATABASE-CONNECTION-NAME'
  1. See that all the API scops are returned on the Access Token.

For the RBAC-enabled case:

  1. Enable RBAC on an API in the Dashboard.
  2. Ensure that the application has the password grant type enabled under Advanced Settings.
  3. Play with requesting scopes and assigning permissions to users:
curl --location --request POST 'https://YOUR-TENANT-DOMAIN/oauth/token'; \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=http://auth0.com/oauth/grant-type/password-realm'; \
--data-urlencode 'client_id=YOUR-CLIENT-ID' \
--data-urlencode 'audience=YOUR-API-AUDIENCE' \
--data-urlencode 'username=YOUR-DATABASE-CONNECTION-USERNAME' \
--data-urlencode 'password=YOUR-PASSWORD!' \
--data-urlencode 'scope=' \
--data-urlencode 'client_secret=YOUR-CLIENT-SECRET' \
--data-urlencode 'realm=YOUR-DATABASE-CONNECTION-NAME'
  1. See that the API scops returned on the Access Token are the intersection between the requested scopes, scopes assigned to the user, and scopes listed on the API.

Solution

The expected behavior for requesting Custom API scopes on an Access Token is different for ROPG than other authentication flows.

With ROPG, with RBAC enabled on the API, the authorization server is going to look at:

  • the permissions listed on the API
  • the permissions listed for the user
  • the permissions requested

If the scope is present in all three of those locations with RBAC enabled, it will get added to the Access Token.

Unlike other flows, with ROPG, the authorization server is going to add all the scopes on the API regardless of what is requested, and it does not care what permissions are assigned to the user when RBAC is disabled on the API.