Auth0 Home Blog Docs

Why does cross-authentication, leveraging Implicit Grant Flow, doesnt put default scope claim in jwt?


[Edit: rephrased question, as some things got clearer]

Im currently working on a project, which consists of an SPA talking to a bunch of java-based microservices.
We have the requirement, to provide the login page within the client application itself. From my understanding, it renders us only to leverage the cross-authentication-flow utilizing the implicit grant
The authentication works so far, but we have an issue with the content of jwt-tokens, as they dont contain the claim scope, which are included per default, if I use PKCE Grant Flow for instance.
I did managed to add scope via a rule, but apparently have to prefix it with namespace. This leads to the issue that our backends, cant read permissions (we use auth0-spring-security-api), because the AuthenticationHandler reads scope claim, which is hardcoded.
We actually would like to implement Cross-Authentication with PKCE Grant Flow, because of the ongoing discussions around Implicit Grant and as we are creating a new project. Ist this supported by auth0 ?
We would be for now also fine, if someone could explain, why the default scope claim is not added into the JWT token payload and/or how to configure auth0, to include it.

If more configuration or example are needed, notify meā€¦but I assume the issue is more of general nature