Scope doesnt assign to access token on React

Xepobopa · July 7, 2023, 9:21am

I want to get a user role, so i make this request: https://${domain}/api/v2/users/${sub}/roles. But i have an error: Insufficient scope, expected any of: read:users,read:roles,read:role_members
For this request i must provide an access token with folowing scope: read:users read:roles read:role_members.
I provided scope in Auth0Provider:

<Auth0Provider domain="_" clientId="_" authorizationParams={{ redirect_uri: window.location.origin, audience: "_", scope: "read:current_user update:current_user_metadata read:users read:roles read:role_members" }}> <App/> </Auth0Provider>

But scope in token is:
"scope": "openid read:current_user update:current_user_metadata". So how can i assign scope to the token?

tyf · July 7, 2023, 11:38pm

Hello @Xepobopa welcome to the community!

A Management API Access Token () obtained by the SPA is limited in the scopes it can have - Instead, you’ll need to utilize a backend of sorts to get and use a properly scoped access token. The following article outlines this flow:

Alternatively (and easiest route), you can add a user’s roles as a claim to an Access Token and get them that way:

Hope this helps!

Xepobopa · July 9, 2023, 10:11am

Hello! Thanks for your reply. I tried to use Login Flow from your reply. Here is my code:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://dev-tyu80romro64bab1.us.auth0.com/api/v2/';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }

But code from the link don’t work. My access token don’t contain any role.
Also i tried to pass default values, but it didn’t work too:

api.idToken.setCustomClaim(`value`, "key");
api.accessToken.setCustomClaim(`value`, "key");

access token:

{
  "iss": "https://dev-tyu80romro64bab1.us.auth0.com/",
  "sub": "auth0|64aa6b4142cc3032718b8da0",
  "aud": [
    "https://dev-tyu80romro64bab1.us.auth0.com/api/v2/",
    "https://dev-tyu80romro64bab1.us.auth0.com/userinfo"
  ],
  "iat": 1688896803,
  "exp": 1688983203,
  "azp": "ldJvP8jc3TJedTVViILgUWKqKDFjRDMB",
  "scope": "openid read:current_user update:current_user_metadata"
}

(I described in more detail here reactjs - Unable to scope access token - Stack Overflow)

tyf · July 12, 2023, 12:12am

Hey @Xepobopa happy to help, apologize for the delayed response!

Auth0 domains aren’t allowed in custom namespaces so I believe it’s just being ignored in this case - The roles should be added if you use anything else (outside of restricted claims).

system · July 26, 2023, 12:12am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Management API returns 403 when attempting to read users Help react , auth0-spa-js	3	11162	September 19, 2019
I can't update user email or any other information Help jwt , auth0 , api , management-api	2	3353	October 19, 2021
Managment API does not have the correct scopes read:roles Help scopes , permissions , managment-api-v2	2	7639	September 2, 2019
Forbidden: Insufficient scope, expected one of: read:users AND read:roles, OR read:role_members Help auth0 , api , rules , management-api , access-token	4	5670	July 28, 2022
Adding Scopes to Access Token created for React app Help management-api , roles	4	1827	December 17, 2023

Scope doesnt assign to access token on React

Related Topics