Understanding warning about using scope="open profile"

  • I searched for a discussion of this topic. I found one hit that seems to be unrelated
  • Which SDK does this apply to? auth0-js
  • Which version of the SDK you are using? 9.13.0
  • Which version of the platform are you facing this error on? Unsure how I know this? We are using Universal Login.
  • Was this code working before? Recently upgraded from an older version, like 9.7 to resolve cross-site cookie warnings.
  • No stacktrace
  • Please share the code that is causing the error.

public auth0 = new auth0.WebAuth({
clientID: ‘redacted’,
domain: ‘my-custom.auth0.com’,
responseType: ‘token id_token’,
audience: ‘https://my-custom.auth0.com/userinfo’,
redirectUri: process.env.AUTH_REDIRECT_URL,
scope: ‘openid profile’

  • Can you share a minimum reproducible? ^ that is it.

So, I’m trying to maintain an aged Angular SPA (that I don’t have a familiarity with). My minimal goal was to update the version of the auth0-js module to avoid cross-site cookie warnings. The application is expected to be deprecated in the future, so I really didn’t want to rework it any more than necessary. Well, the app broke with that change, but I am working through the errors. I noticed there was a warning in the Javascript console saying using scope “openid profile” was not recommended. The message referred me to Scopes. I have read that page many times trying to understand the issue and resolution. I still haven’t a clue. The page talks about using a minimal scope. So, I removed “profile” from the scope and the warning is gone. Is that what that page was supposed to be telling me to do?

bumping now to see if anyone will respond

Hi Kevin!

I believe the message you are seeing may be coming from an older version of Lock on your hosted login page.

See the following github thread for context: Usage of scope 'openid profile' is not recommended. · Issue #46 · auth0-samples/auth0-angular-samples · GitHub