Hi, lets say you have a user pool, where one user may have access to several organizations with different set of scopes to each organization stored in a microservice on premise.
We are not using the new organization term in Auth0
- the API has a set of scopes available for use
- the Application choose a subset of these scopes
- the User grant access for these scopes or a subset of these scopes
- The rule receives the granted scopes in either
body.scope
orquery.scope
- The rule is doing a lookup in the organization microservice to find out if the user is actually having rights to these scopes and restricts the set of scopes even more by setting a subset av the granted scopes at
context.accessToken.scope
The problem; we are not able to do this when the Application is using refresh_token
since body.scope
and query.scope
is empty at that time, and we don’t actually know the organization at that point either (since that was tied with the initial /authorize request and not sent in with /oauth/token request).
Is parameters from the initial /authorize available somewhere?
- I really need access to the “organization” value and the granted scopes when the user ask for a refresh_token. A persistent storage for only that refresh_token (app_metadata is for the application, not the authorization session).
- Either that, or be able to manipulate the returned scope in the /oauth/token step when /authorize is done. Any manipulation I’m doing in the
/authorize
step for a access_token isn’t affecting the access_token in the/oauth/token
at all