Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`getAccessTokenSilently` doesn't seem to respect `scope` option

See original GitHub issue

What was the expected behavior?

when i specify the scope option of getAccessTokenSilently it should generate a JWT with the different scope

Reproduction

Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent. Note: If clear, reproducable steps or the smallest sample app demonstrating misbehavior cannot be provided, we may not be able to follow up on this bug report.

clone https://github.com/auth0-samples/auth0-react-samples/tree/master/Sample-01

modify the getAccessTokenSilently to get a different scope, e.g.

      const token = await getAccessTokenSilently({
        audience: 'https://orgs-beta-temporal.us.auth0.com/api/v2/',
        scope: 'default:admin',
      });

observe that the returned JWT sees NO change in scope. it is still the default "openid profile email"

2.5 minute Video recording of bug

https://www.loom.com/share/2a56bb28f8524984825a08a7eaeb237c

Environment

Please provide the following:

Version of auth0-react used: 1.1.0
Which browsers have you tested in? chrome
Which framework are you using, if applicable (Angular, React, etc): react
Other modules/plugins/libraries that might be involved: no

Issue Analytics

State:
Created 3 years ago
Comments:10 (4 by maintainers)

Top GitHub Comments

4reactions

sw-yxcommented, Jan 13, 2021

yes, in particular i didn’t understand that getAccessTokenSilently’s scope arg is for scope narrowing, and we need to declare all scopes the app needs at the Auth0Provider level first.

Here is a short checklist of things to check when dealing with scopes in Auth0. When you add a new scope:

In Auth0’s admin panel, make sure the API has the right permission set.
In Auth0’s admin panel, make sure the USER has the right permission set, ONLY IF the API has RBAC enabled.
In your SERVER code, e.g. api-server.js, make sure it checks the right scope
In your CLIENT code, you must make sure the <Auth0Provider> has the scope arg with the permission.
In your CLIENT code, you can configure scope for the callSite e.g. getAccessTokenSilently ONLY IF you want to narrow the scope from what you gave for <Auth0Provider>

This is so complicated because we need to model situations like this:

an API has SCOPEA, SCOPEB and SCOPEC
a User has SCOPEA and SCOPEB for that API
an application asks for access for SCOPEA and SCOPEC
The token will only contain SCOPEA.

thanks so much to Frederik for his very dedicated and responsive help!!

2reactions

frederikprijckcommented, Jan 13, 2021

we need to declare all scopes the app needs at the Auth0Provider level first.

Just to add a little nuance for this, this is for ensuring the user has given consent. When you are skipping consent for first party applications, this is not realy required, but yet I think it is a good practise to do so (it avoids you having to think about first vs third party apps).

In Auth0’s admin panel, make sure the USER has the right permission set, ONLY IF the API has RBAC enabled.

In Auth0’s admin panel, make sure the API has the right permission set.

Just to avoid confusion, it should be the other way around. You can not set the USER’s permissions if you haven’t set the API’s permissions. So start with the API, then the USER.