Troubles while setting up Auth0 Extension API - Python


This topic mainly concern Auth0 Extension API. I hope the category is ok to you.

I just set up the Auth0 Authorization Extension for my client. As I have a SPA & API, I followed the following tutorials:

The rule “Access token scopes” did not worked for me. I had to change it a bit.
I changed:
context.accessToken.scope = filteredScopes;
context.accessToken.scope = ‘openid%20profile%20’+filteredScopes;
context.idToken.scope = permissions.join(’ ');

Without 'openid%20profile%20', the token wasn’t in the response (but no errors, the connection went well).
Without the second line, the token did not contain the scope param (even if in Auth0 API Extension > Configuration > Token Contents ; I well activated “Permissions”)

As I had to update the rule to make it work, I would like to know if I did not introduce any security breach?

Another point, the Auth0 Extension automatically creates an application with no type (auth0-authz). To make it work I had to specify Machine To Machine Type to this application. Later I tried to communication with the extension API, but couldn’t. I had to activate Client Credentials in Advanced Settings > Grant Types ; Which is not specified in tutorials.
Same question than before, does these changements could introduce any security breach?

Another point, to access the Auth0 Extension API, I used the following tutorial to request the token:

I’m using Python 3.6. I was well connected to Auth0 when reading the tutorial, variables were filled.
I had to replace the line:
conn = http.client.HTTPSConnection("")
conn = http.client.HTTPSConnection("<MY_TENANT>.<MY_ZONE>")

And the line:
conn.request("POST", "/<MY_TENANT>.<MY_ZONE>", payload, headers)
conn.request("POST", "/oauth/token", payload, headers)

Last point, totally different, I had to create an account on Auth0 Community to send this message, in the name of my client.
The activation email was sent, but we had troubles with our mail box, so we never received it.
At logging, we have the message: “Your account is awaiting activation, use the forgot password link to issue another activation email.”
It is not possible to disconnect in this case, I had to use private navigation.
Then I used the forgot password link, but you cannot issue another activation email via this form. So I reset the password, but it does not change anything.
Then I tried to send it from ma personal account, but I forgot the password and I never received the forgot password email…
Anyway, I am now posting with a new created Auth0 account.

Kind regards,

Hey, I don’t believe your appending the openId to filtered scopes will produce a security exploit but can we get a HAR file of your current workflow so we can inspect deeper what may be occurring? With the HAR file, be sure to select “Preserve log” to catch redirects and scrub the file of user passwords before direct messaging it over paired with your tenant name. Thanks in advance!

Me neither, but I was surprised that the rule in the documentation did not worked directly. So I preferred to check with your team :slight_smile: .
I sent you the HAR file via private message for security reasons.
Please delete the file after the check on your computer and write in this conversation or via private message that it has been done.

Sorry for the inconvenience and thanks in advance! :slight_smile:

I wanted to follow up after looking this over with our team and wanted to find out why you are requesting an access token from the extension? The best course of action for gaining an access token or id token would be to request it from the authentication api. Thanks in advance!

Hi @James.Morrison ,

Thanks for your answer! :slight_smile:

We started a year ago and followed the following tutorials:

Then, for security reasons our tokens have to expire after 12 hours. So we just set up the JWT Expiration param in our SPA Application.

In the lock.js config, we specified as follow:

auth: {
  responseType: 'token',
  redirectUrl: `${getBaseUrl(store)}auth/signed-in`,
  params: {
	scope: 'openid profile ',
	device: 'it-compass-app',
	state: secret

If I change:
responseType: 'token',
responseType: 'token id_token',
responseType: 'id_token',
I well receive the ID Token, but without the scope param or other params defined in Auth0 Rules, so on the API side, Django response with a 403 if there is a require_scope decorator in front of the view function.
In this case, rules seems to have not been executed but I don’t know why ; for me they should be executed on each new connection.

After few tests, we found that changing the Authorization rule to match to our current system and this is why we proceeded like this.

Your way to use the Access Token just did not seem to us as a good solution because of our current implementation of the API.

Kind regards,

Following up, what we explained is standard protocol. While the methodology you explained works, it is not the recommended way to proceed. It’s important to keep in mind that the permissions set do not equal scopes, scopes are set to be consumed by APIs and are leveraged in Access tokens and they are requested during the authentication flow.

Hi @James.Morrison,
We will keep our current flow for a while and change it at our next modification on access rights in few weeks.
Thank you very much for your answers.
Kind regards,

1 Like

No problem, happy to help! Be sure to let us know if you have any further questions in the future that we can help with, Thanks!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.