Scopes in ID TOKEN

axtn · July 28, 2020, 5:22pm

Currently writing a spa svelte app, need to decide when to show certain buttons / areas for their respective permissions.
I need access to the user permissions in the client.
To set the base for those who may stumble upon this, let me clarify one thing according to standards and auth0.
It is said, don’t look into the access token (getTokenSilently()) in the client, instead, use the id token (getIdTokenClaims())
But it seems auth0 doesn’t even pass the permissions to the id token when you get it from getIdTokenClaims.
On the other hand, if you “break the rules” and you use jwt-decode to decode the access token, there… you have everything your heart desires.

What’s the best way to do this the right way, to get permissions/scopes included in the id token? It’s tempting to just decode the access token and use the scopes in there. I also rather not be hitting management api if I can.

All of this needs to be muuuuuuch more clearer in the docs for building a spa. Authorization is a basic auth need.

Thanks!

dan.woda · July 29, 2020, 8:32pm

Thanks for the descriptive feedback. I agree, this is something that could be clearer in our docs.

There is an angular example of how to do this without the access token. It may be helpful:

Best,
Dan

axtn · July 30, 2020, 7:47am

The linked example uses auth0-js, not the spa package

dan.woda · July 31, 2020, 3:26pm

That is correct, and the methodology is still applicable.

James.Morrison · August 14, 2020, 7:26pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.