User tokens now have null scope?

cwinters · August 14, 2021, 6:40pm

I used to be able to retrieve a user’s token with its scope and validate it in my Express app. I would get the token like this:

http POST https://inclusivecareco.us.auth0.com/oauth/token < getUserToken.json

this is the getUserToken.json, with certain values obfuscated

{
  "client_id": "OBFUSCATED_CLIENT_ID",
  "client_secret": "OBFUSCATED_CLIENT_SECRET",
  "audience": "https://api.inclusivecareco.org",
  "grant_type": "password",
  "username": "cy.lgbtqhd@gmail.com",
  "password": "OBFUSCATED_PASSWORD"
}

and it would return something like this with the user’s permissions included in the scope

{
  "access_token": "OBFUSCATED_ACCESS_TOKEN",
  "expires_in": 86400,
  "scope": "admin:all formResponses:all",
  "token_type": "Bearer"
}

then I could make an http request to my Express app with an authenticated user like this:

http POST :80/form < createForm.json authorization:"Bearer OBFUSCATED_ACCESS_TOKEN"

and the app could read the user’s scope from the token like this

const jwtCheck = jwt({
  secret: jwks.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: 'https://inclusivecareco.us.auth0.com/.well-known/jwks.json',
  }),
  audience: 'https://api.inclusivecareco.org',
  issuer: 'https://inclusivecareco.us.auth0.com/',
  algorithms: ['RS256'],
});

const authorize = () => {
  return [jwtCheck, jwtAuthz(['admin:all'])];
};

app.post('/form', authorize(), async (req, res, next) => {
  const form = await createForm(req.body).catch(next);
  res.json(form);
  return next();
});

However, now the user token does not include the scope so I get the following error:

HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 18
Content-Type: text/html; charset=utf-8
Date: Sat, 14 Aug 2021 18:22:33 GMT
ETag: W/"12-CVfYDPAuNQpBlFlTKRGnn+G9Ot0"
Keep-Alive: timeout=5
Vary: Origin
WWW-Authenticate: Bearer scope="admin:all", error="Insufficient scope"
X-Powered-By: Express

Insufficient scope

I checked the Auth0 logs for when the password/token exchange occurred and confirmed the scope value is null.

{
  "date": "2021-08-14T17:58:36.206Z",
  "type": "sepft",
  "description": "Password for Access Token",
  "connection": "Username-Password-Authentication",
  "connection_id": "con_QtFnEi0Bv9CMIYaY",
  "client_id": "OBFUSCATED_CLIENT_ID",
  "client_name": "Inclusive Care Colorado API (Test Application)",
  "ip": "69.71.9.190",
  "client_ip": "69.71.9.190",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "user_id": "auth0|606e6e04a32e970069756f38",
  "user_name": "cy.lgbtqhd@gmail.com",
  "audience": "https://api.inclusivecareco.org",
  "scope": null,
  "log_id": "90020210814175837755246160412313819751682528085656207378",
  "_id": "90020210814175837755246160412313819751682528085656207378",
  "isMobile": true
}

Was this feature changed somehow? Should I be accessing the user’s permission/scope a different way? What is interesting is if the user is authenticated from the React frontend there is no issue. It’s only when making direct requests to the Express app from my terminal.

dan.woda · August 16, 2021, 7:54pm

Hi @cwinters,

Welcome to the Auth0 Community!

How are you assigning permissions/scopes to the user? Via roles or directly?

cwinters · August 17, 2021, 10:52pm

Hey Dan,

I am applying using roles. I figured out I needed to access the scope at a different key. Adding the customScopeKey option to the express-jwt-authz function was the trick:

const authorizeAdmin = () => {
  return [jwtCheck, jwtAuthz(['admin:all'], { customScopeKey: 'permissions' })];
};

Not sure if something changed and it used to be on the scope key and now it’s not? But it’s working now so I’m happy

Thanks,
Clark

dan.woda · August 18, 2021, 8:13pm

Glad to hear it’s working!

system · September 2, 2021, 8:13pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.