We have been using v2 of the Authorization extension to assign roles to users and return them in the id_token. Sometime within the past couple of weeks, the roles stopped being sent in the token, even though our code has not changed. I enabled debugging for the rule generated by the extension, and can see the roles logged in the user object. We are still sending scope = openid roles to the authorize endpoint, but it’s not returning the roles.
The application is not configured to be OIDC compliant and there is no account-level default audience:
We are using version 2.0.3 of angular-lock, 8.9.1 of auth0.js, 10.20.0 of auth0-lock, and 2.4 of the authorization extension. We are displaying lock with lock.show() and passing in scope=“openid roles” and state="/admin" in the params object. On the redirect back, we are decoding the id_token with jwtHelper.decodeToken() from the angular-jwt library. When we decode the token, this is what is in it:
We have not made any custom changes to the authorization extension, and have enabled passing the roles in the token contents: