Surface custom scopes on consent screen for first-party applications

Is this possible?

I set up an application (as regular web app), an API (added two custom scopes and kept consent enabled), and a test user (assigned to my application with custom scopes/permissions assigned). So far, only the profile scope shows up on the consent screen.

I am reading that custom scopes surface on third-party applications by default, so I’ve also followed this article in converting a first-party app to a third-party app, but the custom scopes aren’t surfacing on consent nor is it included in the access_token.

Thank you in advance!

Circling back on what I ended up having to do:

I needed to pass the audience param in the authorization request. I’m using using authlib, OAuth2Session (rather parent class OAuth2Client) defines the following

class OAuth2Client(object):
    # other stuff

    EXTRA_AUTHORIZE_PARAMS = (
        'response_mode', 'nonce', 'prompt', 'login_hint',
    )

and does NOT include audience, so I needed to extend it:

class OAuth2SessionProxy(OAuth2Session):
    """
    need to extend OAuth2Session in order to include the `audience`
    param in the OAuth2Session.EXTRA_AUTHORIZE_PARAMS tuple, it's used
    by Auth0 in determining which API this request is associated with
    """
    def __init__(self, *args, **kwargs):
        super(OAuth2SessionProxy, self).__init__(*args, **kwargs)

    EXTRA_AUTHORIZE_PARAMS = (
        'response_mode',
        'nonce',
        'prompt',
        'login_hint',
        'audience',
    )

Anyway, this is what worked for me. Interested in hearing if anyone ran into something similar / what their approach was.

1 Like