Requesting tokens with OpenID scope

manuk.gharslyan · June 14, 2021, 11:28am

Hi, Auth0 community,

I faced an issue when requesting access/identity/refresh tokens using Resource Owner Password Flow flow.
I have wanted to get a token only and only with OpenID scope. I see other scopes included in the response.

Request:

curl --location --request POST 'https://my-auth-domain/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=username' \
--data-urlencode 'password=password' \
--data-urlencode 'audience=audience' \
--data-urlencode 'scope=openid' \
--data-urlencode 'client_id=client' \
--data-urlencode 'client_secret=secret'

Response:

{
    "access_token": “access token”,
    "id_token": “id token”,
    "scope": "openid profile email address phone read:current_user update:current_user_metadata delete:current_user_metadata create:current_user_metadata create:current_user_device_credentials delete:current_user_device_credentials update:current_user_identities",
    "expires_in": 86400,
    "token_type": "Bearer"
}

What’s wrong I have done with this request? BTW, requesting tokens with certain scope, for example, read:current_user returns token having only read:current_user scope.

Response:

{
    "access_token": "access_token",
    "scope": "read:current_user",
    "expires_in": 86400,
    "token_type": "Bearer"
}