Scopes added during login aren't appearing in access token

illusionfactory · May 19, 2022, 4:33pm

Hello out there!

I’m using SDK auth0/nextjs-auth0 ^1.7.0 in a nextjs app. In handle login, the scope ‘read:organizations’ is added.

      await handleLogin(req, res, {
        authorizationParams: {
          audience: audience,
          scope: 'openid profile read:organizations',
          redirect_uri
        },
        returnTo: '/home'
      })

handleCallback() is called after successful auth. In afterCallback() i check for the auth’d user’s scopes by decoding the access token.

await handleCallback(req, res, { 
  afterCallback,
   redirectUri
})

const afterCallback = async (req, res, session, state) => {
  const accessTokenDecoded = jwtDecode(session.accessToken)
  console.log("accessToken is ", accessTokenDecoded)
}

The scope is missing ‘read:organizations’

accessToken is  {
  ...
  scope: 'openid profile'

Any idea how to get the scope to have ‘read:organizations’? After login, the user will want to be able to get information about the organization they just logged into. Thanks for any help.

tyf · May 20, 2022, 12:39am

Hi there @illusionfactory welcome to the community!

Good question! Is this scope a permission for your own API? That is, in authorizationParams are you setting the audience to your own API that you have registered in Auth0 or are you looking to use the Management API in some way from your app?

Let us know!

illusionfactory · May 20, 2022, 3:28pm

Hi tyf, thanks for the response.

Am trying to retrieve an organization by id using the Management Api here:

The Api call looks like:

https://<DOMAIN>/api/v2/organizations/<ORG_ID>

Audience and Scope in Access Token after login is:

aud: [
  'https://<DOMAIN>/api/v2/',
  'https://<DOMAIN>/userinfo'
]
scope: 'openid profile'

Am trying to get auth’d with scope ‘openid profile read:organizations’ and use the resulting Access Token as the Bearer token to /api/v2/organizations Api.

const bearer = `Bearer ${accessToken}`
const headers = { authorization: bearer }

Is this possible or should I be taking a different approach? Thanks for the help.

tyf · May 21, 2022, 1:04am

No problem, happy to help where I can!

Thanks for clarifying your use case - I don’t believe this is possible as is. I recommend taking a look at our documentation around Management API Access Tokens and in particular Management API Access tokens for production. Basically, this would be a separate backend process that has no user (client credentials) for which the resulting access token can be used at https://<DOMAIN>/api/v2/organizations/<ORG_ID>.

Hopefully this helps!

tyf · June 5, 2022, 1:05am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.