Auth0 Home Blog Docs

Scope not working for newer Clients/Lock (OIDC Conformant)?



If I pass in the following scope :

oidcConformant: true,
    allowedConnections: 'Username-Password-Authentication'],
    auth: {
      redirectUrl: myConfig.callbackURL + 'pages/dashboard',
      responseType: 'token id_token',      
      audience: `https://${myConfig.domain}/userinfo`,      
      params: {
        scope: 'openid name email picture roles'

I am only getting this :


With the getProfile method I used to get everything I need based on the idToken. Now with the getUserProfile and based on the accesToken I am not able to retrieve everything.

If I pass in the profile scope which is not recommended. I am getting almost everything except a crucial part.
ROLES AND GROUPS they are missing.


How to get the roles and groups now from the Auth0 Authorization Extension?!!


With OIDC conforment clients, the way to add scope in rules have changed slightly; we now allow the user to define scopes in the API & OpenID, and custom claims are now name spaced. Therefore, you’ll need to pass this information to your token via another rule. There are 3 scenarios are as follows.

Using ACL based on permissions stored in scopes.

In this approach there are granular permissions defined for example consider the following permissions create:user, update:user, create:task, update:task, update:current_user, create:current_user_task, update:current_user_task. An admin user will have access to all these scopes however a normal user will have
access to only :current_. You can add this in scopes as follows

    const rolePermissionsMap = {
        'admin': 'create:user', 'update:user', 'create:task', 'update:task', 'update:current_user', 'create:current_user_task', 'update:current_user_task'],
        'commoner': 'update:current_user', 'create:current_user_task', 'update:current_user_task'],

// This accounts for multiple Roles.
user.roles.forEach((role) => {
        context.idToken.scopes = context.idToken.scopes.concat(rolePermissionsMap[role]);

        context.accessToken.scopes = context.accessToken.scopes.concat(rolePermissionsMap[role]);

Using a custom claim.

Using a custom claim, you can define it as follows

const namespace = context.request.query.audience;

if (context.idToken) {
   context.idToken[audience + '/role'] = user.roles;
   context.idToken[audience + '/groups'] = user.groups;

For ID Token only

You can add the entire app_metadata/user_metadata object in the idToken by the following

context.idToken'app_metadata'] = user.app_metadata; // the same follows for user_metadata.

Please note that this will also apply to /userinfo, whatever you return as idToken will be served as /userinfo

Fetch it on the server

Finally you can fetch this information from either Management API (If you have persistence enabled in the Auth Extension) or Using the Extensions API.


This transition seems to be incredibly confusing.

It appears that a lot of basic use-cases have been broken and full support is still in development on the auth0 side though i can’t find good documentation on exactly what is still in development vs. what currently works. It’d be great at least, if all these workarounds could be migrated into a single living document somewhere instead of posted ad-hoc in the forums. Perhaps when the Auth0 folks respond to an issue like this, they put the answer in a single “Post-Migration Patterns” or somesuch page, and link their forum post to that?


Testing hidden comment


Hello testing response