Hi, lets say you have a user pool, where one user may have access to several organizations with different set of scopes to each organization stored in a microservice on premise.
We are not using the new organization term in Auth0
- the API has a set of scopes available for use
- the Application choose a subset of these scopes
- the User grant access for these scopes or a subset of these scopes
- The rule receives the granted scopes in either
- The rule is doing a lookup in the organization microservice to find out if the user is actually having rights to these scopes and restricts the set of scopes even more by setting a subset av the granted scopes at
The problem; we are not able to do this when the Application is using
query.scope is empty at that time, and we don’t actually know the organization at that point either (since that was tied with the initial /authorize request and not sent in with /oauth/token request).
Is parameters from the initial /authorize available somewhere?
- I really need access to the “organization” value and the granted scopes when the user ask for a refresh_token. A persistent storage for only that refresh_token (app_metadata is for the application, not the authorization session).
- Either that, or be able to manipulate the returned scope in the /oauth/token step when /authorize is done. Any manipulation I’m doing in the
/authorizestep for a access_token isn’t affecting the access_token in the