Retrieving 'identities' claim in id_token on username/password login

We have a google-based social login that requests ‘identities’ scope. As a result the id_token JWT we get in response includes the following:

      "provider": "google-oauth2",
      "user_id": "10902802101234569447",
      "connection": "google-oauth2",
      "isSocial": true

However, we have a username/password login (using the auth0-js sdk .login method) that is requesting scope: “identities” but none are included in the response. Using other scopes like “openid” works correctly. Does anybody have any idea why this might be?

The client.login method in the latest Auth0.js uses the /oauth/token endpoint available as part of the latest authentication and authorization API feature set (aka this endpoint is not a legacy authentication endpoint and as such strictly conforms to OpenID Connect and OAuth2 specs).

When you consider the above with the fact that identities is not a standard OIDC scope then the behavior you’re obtaining is explained and expected. If you’re still using legacy authentication flows the recommendation would be to move to the new flows and stop relying in non-standard behavior like controlling the contents of the ID token using non-standard scopes.

With the latest flows you can still add additional information to the ID token, you’ll just need to do it explicitly through a rule instead (see the reference docs for additional information).

If at this time, you cannot yet upgrade to the latest flows then you may need to constrain your usage solely to the legacy endpoints (this may mean using SDK version that are not latest and/or direct calls to the authentication API). In particular, you can also perform a username/password login in a similar manner to /oauth/token at /oauth/ro which is a legacy endpoint.

Thanks for you response. I have added the rule that you suggested, and that works well. However, if I omit “scope” entirely from the .login() call options, the idToken still includes nonstandard properties I would expect from ‘profile’ scope - i.e. nickname, name, picture. If I do not include a scope on the social authentication I get none of those.

Can you update your question with the exact Auth0.js version being used, how you configure it and also the relevant calls for the social authentication and username/password scenarios? IIRC, if you don’t include scope in /oauth/token since this is a request that implies the user provided the actual password to your application then all OIDC standard information like name is returned because your application already has the user password so no worries in sharing that information by default. In other OIDC flows the application only receives the information it asked for through scope.