Is this possible?
I set up an application (as regular web app), an API (added two custom scopes and kept consent enabled), and a test user (assigned to my application with custom scopes/permissions assigned). So far, only the profile scope shows up on the consent screen.
I am reading that custom scopes surface on third-party applications by default, so I’ve also followed this article in converting a first-party app to a third-party app, but the custom scopes aren’t surfacing on consent nor is it included in the access_token.
Thank you in advance!
Circling back on what I ended up having to do:
I needed to pass the audience param in the authorization request. I’m using using authlib, OAuth2Session (rather parent class OAuth2Client) defines the following
class OAuth2Client(object):
# other stuff
EXTRA_AUTHORIZE_PARAMS = (
'response_mode', 'nonce', 'prompt', 'login_hint',
)
and does NOT include audience, so I needed to extend it:
class OAuth2SessionProxy(OAuth2Session):
"""
need to extend OAuth2Session in order to include the `audience`
param in the OAuth2Session.EXTRA_AUTHORIZE_PARAMS tuple, it's used
by Auth0 in determining which API this request is associated with
"""
def __init__(self, *args, **kwargs):
super(OAuth2SessionProxy, self).__init__(*args, **kwargs)
EXTRA_AUTHORIZE_PARAMS = (
'response_mode',
'nonce',
'prompt',
'login_hint',
'audience',
)
Anyway, this is what worked for me. Interested in hearing if anyone ran into something similar / what their approach was.
1 Like