I was trying out the client_credentials grant flow and authorization_code grant flows. When i tried first time, i got an access token that was actually a JWT. And then i was simply trying different scopes etc. and now i am suddenly getting a non-JWT token… What is the logic behind this ? when do i receive a JWT access token and non-JWT access token ?
Access tokens issued by Auth0 are always in JWT format when you define a custom Audience/API in your requests. They will be opaque tokens if the requested API is not a custom API such as the /userinfo Auth0 API.
You can find a lot more details on this here.
1 Like
Ah okay,. Thanks for that clarification.
I have another doubt about how the scopes are computed in case of client-credentials grant. Looks like scopes for a client are authorized per audience/API and when actual token request is made, possible value of scope parameter in the request changes according to the value of audience. Is there any documentation around this ?
You are correct, You cannot modify the scopes in a Client Credential request by setting the scope parameter. The response will give you a token with all the API scopes that has been authorised to the Application regardless of the scope sent in the request.
However, you can modify the scopes using the Auth0 Client Credentials Hook according to the business logic you have. Within the hook script, you have access to the client application details, audience, scopes array and some additional context, enough information for you to make a decision and modify or add custom claims as you wish.
More details in the below Documentations:
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.