Why is the scope claim included in an M2M Client Credentials token?

adamu · July 30, 2020, 3:22pm

For user tokens, the scopes granted to a user role are included in the permissions claim, like this:

{
  "iss": ...,
  "sub": ...,
  "aud": ...,
  "iat": ...,
  "exp": ...,
  "azp": ...,
  "permissions": [
    "some",
    "lovely",
    "scopes"
  ]
}

For M2M tokens, the scopes are included in both the scope (as a string) and permissions (as a list) claims, with identical information:

{
  "iss": ...,
  "sub": ...,
  "aud": ...,
  "iat": ...,
  "exp": ...,
  "azp": ...,
  "scope": "some lovely scopes",
  "gty": "client-credentials",
  "permissions": [
    "some",
    "lovely",
    "scopes"
  ]
}

If I try to remove the scope claim in a hook, the permissions claim also disappears:

{
  "iss": ...,
  "sub": ...,
  "aud": ...,
  "iat": ...,
  "exp": ...,
  "azp": ...,
  "gty": "client-credentials"
}

Why is the permissions information duplicated in the scope claim for M2M tokens?
Why does the scope claim need to be included in M2M tokens for the permissions claim to show up, when it is not required for user tokens?

This duplicate information is making the JWT unnecessarily long, especially when there are quite a few scopes.

Thanks.

dan.woda · July 31, 2020, 3:06pm

Hi @adamu,

Thanks for providing your feedback. Since this issue has already been covered in the thread you linked (unless I am missing another aspect, please let me know), the best course of action is to express this information to our product team directly through our feedback page.

Using this gateway pushes the information directly to our product management team, ensuring that they hear about your use-case and request.

Thanks!
Dan

adamu · August 3, 2020, 2:00am

Hi Dan, thanks for the reply.

I thought using the community forum would be useful for others searching for the same information later.

I wasn’t trying to provide feedback, but more hoping to find the answers to my two questions. If the answer is that the behavior is unintentional and will be improved, great. I’ll be sure to contact the product team next time

system · September 21, 2020, 3:52pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Hooks and id_token JWT.io	3	4573	May 9, 2020
Fetching an M2M Token Returns All Granted Scopes/Permissions Instead of Requested Scopes Knowledge Articles scopes , access-token , permissions , client-credentials-g , role , machine-to-machine , m2m	1	2615	January 27, 2023
Empty "permissions" claim in M2M token Integration Help auth0 , api , support , permissions , machine-to-machine	7	1570	June 23, 2023
Is there a way to update the m2m access token so that the scopes are an array rather than a string JWT.io jwt , scopes , m2m	5	2521	November 3, 2022
Why are scopes/permissions are duplicated in JWT tokens issued by Auth0? Help	2	377	April 29, 2024

Why is the scope claim included in an M2M Client Credentials token?

Related topics