Scope doesnt assign to access token on React

Xepobopa · July 7, 2023, 9:21am

I want to get a user role, so i make this request: https://${domain}/api/v2/users/${sub}/roles. But i have an error: Insufficient scope, expected any of: read:users,read:roles,read:role_members
For this request i must provide an access token with folowing scope: read:users read:roles read:role_members.
I provided scope in Auth0Provider:

<Auth0Provider domain="_" clientId="_" authorizationParams={{ redirect_uri: window.location.origin, audience: "_", scope: "read:current_user update:current_user_metadata read:users read:roles read:role_members" }}> <App/> </Auth0Provider>

But scope in token is:
"scope": "openid read:current_user update:current_user_metadata". So how can i assign scope to the token?

tyf · July 7, 2023, 11:38pm

Hello @Xepobopa welcome to the community!

A Management API Access Token () obtained by the SPA is limited in the scopes it can have - Instead, you’ll need to utilize a backend of sorts to get and use a properly scoped access token. The following article outlines this flow:

Alternatively (and easiest route), you can add a user’s roles as a claim to an Access Token and get them that way:

Hope this helps!

Xepobopa · July 9, 2023, 10:11am

Hello! Thanks for your reply. I tried to use Login Flow from your reply. Here is my code:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://dev-tyu80romro64bab1.us.auth0.com/api/v2/';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }

But code from the link don’t work. My access token don’t contain any role.
Also i tried to pass default values, but it didn’t work too:

api.idToken.setCustomClaim(`value`, "key");
api.accessToken.setCustomClaim(`value`, "key");

access token:

{
  "iss": "https://dev-tyu80romro64bab1.us.auth0.com/",
  "sub": "auth0|64aa6b4142cc3032718b8da0",
  "aud": [
    "https://dev-tyu80romro64bab1.us.auth0.com/api/v2/",
    "https://dev-tyu80romro64bab1.us.auth0.com/userinfo"
  ],
  "iat": 1688896803,
  "exp": 1688983203,
  "azp": "ldJvP8jc3TJedTVViILgUWKqKDFjRDMB",
  "scope": "openid read:current_user update:current_user_metadata"
}

(I described in more detail here reactjs - Unable to scope access token - Stack Overflow)

tyf · July 12, 2023, 12:12am

Hey @Xepobopa happy to help, apologize for the delayed response!

Auth0 domains aren’t allowed in custom namespaces so I believe it’s just being ignored in this case - The roles should be added if you use anything else (outside of restricted claims).

system · July 26, 2023, 12:12am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.