I used to be able to retrieve a user’s token with its scope and validate it in my Express app. I would get the token like this:
http POST https://inclusivecareco.us.auth0.com/oauth/token < getUserToken.json
this is the getUserToken.json, with certain values obfuscated
{
"client_id": "OBFUSCATED_CLIENT_ID",
"client_secret": "OBFUSCATED_CLIENT_SECRET",
"audience": "https://api.inclusivecareco.org",
"grant_type": "password",
"username": "cy.lgbtqhd@gmail.com",
"password": "OBFUSCATED_PASSWORD"
}
and it would return something like this with the user’s permissions included in the scope
{
"access_token": "OBFUSCATED_ACCESS_TOKEN",
"expires_in": 86400,
"scope": "admin:all formResponses:all",
"token_type": "Bearer"
}
then I could make an http request to my Express app with an authenticated user like this:
http POST :80/form < createForm.json authorization:"Bearer OBFUSCATED_ACCESS_TOKEN"
and the app could read the user’s scope from the token like this
const jwtCheck = jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: 'https://inclusivecareco.us.auth0.com/.well-known/jwks.json',
}),
audience: 'https://api.inclusivecareco.org',
issuer: 'https://inclusivecareco.us.auth0.com/',
algorithms: ['RS256'],
});
const authorize = () => {
return [jwtCheck, jwtAuthz(['admin:all'])];
};
app.post('/form', authorize(), async (req, res, next) => {
const form = await createForm(req.body).catch(next);
res.json(form);
return next();
});
However, now the user token does not include the scope so I get the following error:
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 18
Content-Type: text/html; charset=utf-8
Date: Sat, 14 Aug 2021 18:22:33 GMT
ETag: W/"12-CVfYDPAuNQpBlFlTKRGnn+G9Ot0"
Keep-Alive: timeout=5
Vary: Origin
WWW-Authenticate: Bearer scope="admin:all", error="Insufficient scope"
X-Powered-By: Express
Insufficient scope
I checked the Auth0 logs for when the password/token exchange occurred and confirmed the scope value is null.
{
"date": "2021-08-14T17:58:36.206Z",
"type": "sepft",
"description": "Password for Access Token",
"connection": "Username-Password-Authentication",
"connection_id": "con_QtFnEi0Bv9CMIYaY",
"client_id": "OBFUSCATED_CLIENT_ID",
"client_name": "Inclusive Care Colorado API (Test Application)",
"ip": "69.71.9.190",
"client_ip": "69.71.9.190",
"user_agent": "Other 0.0.0 / Other 0.0.0",
"user_id": "auth0|606e6e04a32e970069756f38",
"user_name": "cy.lgbtqhd@gmail.com",
"audience": "https://api.inclusivecareco.org",
"scope": null,
"log_id": "90020210814175837755246160412313819751682528085656207378",
"_id": "90020210814175837755246160412313819751682528085656207378",
"isMobile": true
}
Was this feature changed somehow? Should I be accessing the user’s permission/scope a different way? What is interesting is if the user is authenticated from the React frontend there is no issue. It’s only when making direct requests to the Express app from my terminal.