Restrict scopes for a specific authorization session

Hi, lets say you have a user pool, where one user may have access to several organizations with different set of scopes to each organization stored in a microservice on premise.

We are not using the new organization term in Auth0

  • the API has a set of scopes available for use
  • the Application choose a subset of these scopes
  • the User grant access for these scopes or a subset of these scopes
  • The rule receives the granted scopes in either body.scope or query.scope
  • The rule is doing a lookup in the organization microservice to find out if the user is actually having rights to these scopes and restricts the set of scopes even more by setting a subset av the granted scopes at context.accessToken.scope

The problem; we are not able to do this when the Application is using refresh_token since body.scope and query.scope is empty at that time, and we don’t actually know the organization at that point either (since that was tied with the initial /authorize request and not sent in with /oauth/token request).

Is parameters from the initial /authorize available somewhere?

  • I really need access to the “organization” value and the granted scopes when the user ask for a refresh_token. A persistent storage for only that refresh_token (app_metadata is for the application, not the authorization session).
  • Either that, or be able to manipulate the returned scope in the /oauth/token step when /authorize is done. Any manipulation I’m doing in the /authorize step for a access_token isn’t affecting the access_token in the /oauth/token at all

To make it very short, I have a rule that I only run for the /authorize (protocol oidc-basic-profile, oidc-implicit-profile) and I remove one of the scopes and set a subset of the granted scopes by the user in the accessToken

Next time, when a new accessToken is requested with a refresh_token, will the removed scope be back in the accessToken!?!