User scopes are not synced on connection

Hello Auth0 Community!
I am using Auth0 as an IdP (let’s call it app1) for my application and I am also using Auth0 as authorization server (let’s call it app2). I created an OIDC enterprise connection to sync users between the two tenants, which is already working to some extent. Altough my issue is, that the permissions/scopes are not synced from the IdP to the authorization server.
So the flow is as follows:
when I open my application, the authorize endpoint is being called with the clientId for app2 and the name of the enterprise connection I created. This is getting redirected to to the authorize endpoint of app1, then I can log in with the user from the tenant of app1, the user gets created in the tenant of app2, but it has zero permissions or scopes. The JWT token contains only openid and profile scopes, although I specified multiple custom ones on the connection in the Auth0 portal as well as on the authorize endpoint with the scope parameter.

Could you maybe help me out what am I missing?
I tried to specify connection_scope parameter on the authorize endpoint as well, but it ended up returning an error saying “id_token not present in tokenset”. I am using response_type=code on the authorize calls, but I tried to change it to id_token, but with no luck, I’ve got the same response.

Thank you very much in advance!

I am sharing what I found out, maybe it will be useful for someone in the future.

Auth0 uses two terms in case of a federated login, upstream and downstream IdP or tenant. Upstream tenant is the one, that the connection is directed to, downstream is the one where the application is registered. When creating connections, you can specify upstream_params on the connection using the API described here:
https://auth0.com/docs/connections/pass-parameters-to-idps

These params are then passed on to the authorize request on the upstream IdP, so to the one specified in the connection. Here you can specify extra parameters, like audience, which is neessary to get back the scopes. Once you have done that, you should get back a proper token from the upstream tenant, with scopes and permissions set. The issue is, that Auth0 does not pass this token down to the downstream tenant (the one, that the application calls), so the token the application receives is a blank one, in terms of scopes and permissions. To add the scopes and permissions, you have to create an Auth Rule, which is populating these fields on the new token. In the rule you can access the user.identites, where the upstream access token is also available. The scopes you can easily just copy from there, however, to specify the permissions on the new token, you have to use the endpoint available here:
https://auth0.com/docs/api/management/v2#!/Users/post_permissions

You have to send an HTTP POST request to this endpoint, where the body contains an array of Permission objects, which should include two fields: “permission_name” and “resource_server_identifier”, where the latter is the id of the API your application is using and the permission_name has to be the name of one of the permission available on this API.
I include these details in my response because this is not properly documented and maybe it reduces time for someone else to find the proper format.

Once you have done these steps, you should have a proper and valid token issued by the downstream tenant with the necessary scopes and permissions.
I hope this helps!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.