I have a single page application and a backend application both registered as clients in Auth0. The SPA uses implicit grant to get id_token and access_token from Auth0. Kong validates the access_token and sends the request to the backend. The SPA sets scope “openid profile” and gets full profileinformation from Google. So far so good.
I need to set roles in the access_token for the backend to read, and am doing this using a rule. The rule goes like this: context.accessToken.scope = ‘list’,‘of’,‘roles’]; The problem now is the profile information disappears from the id_token when the rule is active, and I only get basic information in the JWT. I found a way around this, by getting the scopes from the request and adding them to the scopes in the access_token.
var roles = 'list','of','roles'];
var scope = context.request.query.scope || "";
context.accessToken.scope = roles.join(' ').concat(' ').concat(scope);
I would say this must be a bug in Auth0. Setting scope in access_token should not affect how the id_token is generated. I have searched the docs but have not been able to find where this behaviour is documented. If this is expected, please show me where this is described.