Auth0-spa-js: Library not returning the scopes granted to user

Created on 30 Jul 2019  ·  12Comments  ·  Source: auth0/auth0-spa-js

I am implementing Authorization in SPA using technique described in - https://auth0.com/docs/architecture-scenarios/spa-api/part-2
But I found that there is no way to retrieve value of "scope" present in the "/token" response. getTokenSilently method is returning access_token only.
Any suggesting to work around this issue.

stale

Most helpful comment

FYI scope is an officially registered _claim_ name and is part of JWT:
https://www.iana.org/assignments/jwt/jwt.xhtml

this is only true if the scope somehow changes and you get a different scope than you asked for

In RBAC roles are exposed as scope claims. And when you have 10 different roles, then you ask for all of them when authenticating and Auth0 will issue a token with only the applicable ones.

TLDR is that your app shouldn't try to get the user permissions from the access_token ...

This is sort of religious statement. Usually the answer to this sort of _argument_ is: _It is not for you to decide what I want to do with the token - it is transparent_.

The lack of a specific getAuthTokenClaims() method is not the end of the world but _hidden_ .decode() method (the same used to decode id_token internally) does not make sense at all, we (developers) could just use that to quickly decode the access_token to retrieve necessary claims.

All 12 comments

There's no scopes returned in the oauth/token http call:
image

We had discussion on how to expose the permissions of a token in https://github.com/auth0/auth0-spa-js/issues/48#issuecomment-508181381 and https://github.com/auth0/auth0-spa-js/issues/23#issuecomment-507794605. Let me know if this helps.

Hi

If you look at - https://auth0.com/docs/architecture-scenarios/spa-api/part-3 [Section - https://auth0.com/docs/architecture-scenarios/spa-api/part-3], It mentions that authResult.scope will contain the scope granted to user. I have followed the stems mentioned in this article and I get scope value in the response of /token call.

That tutorial uses https://github.com/auth0/auth0.js. The scope comes back in the authentication result, not in the /token call. Auth0.js doesn't use the /token endpoint at all.

if the issued scope is equal to the one requested then oauth/token is not required to send the scope parameter, but if the scope changes (we can do that through rules) the response must contain the scope parameter.
https://tools.ietf.org/html/rfc6749#section-5.1

We'll add a way to get those scopes

if the issued scope is equal to the one requested then oauth/token is not required to send the scope parameter, but if the scope changes (we can do that through rules) the response must contain the scope parameter.
https://tools.ietf.org/html/rfc6749#section-5.1

We'll add a way to get those scopes

Is there an ETA for this?

I'll work on this this week.

@luisrudge I've just been struggling through this. So it sounds like currently you would be unable to get scopes (as of now) for a user at this point and we would not be able to display UI elements conditionally based on their scope.

What is the advantage to this library vs the auth0.js, which has the authResult from webAuth?

Thanks!

@aarmora this is only true if the scope somehow changes and you get a different scope than you asked for. In most cases, it should be fine. In any case, this will get fixed 🔜 .

Auth0.js has way more features than auth0-spa-js, but it's also way less opinionated and stateless (meaning it doesn't store any information inside itself). You likely have to have a wrapper around Auth0.js to handle internal state, token renewal etc. This library handles everything for you. There's a great write up here and a migration guide that explains some of the limitations here

@luisrudge Thanks for the response.

What's the best way to get the scopes of a user with auth0-spa-js, then? Assuming they aren't changing. Did I miss some documentation on this somewhere?

@aarmora I think we're talking about different things here. I'm sorry I don't have anything more concise to show you, but we had a lengthy discussion about this before: https://github.com/auth0/auth0-spa-js/issues/23.

The TLDR is that your app shouldn't try to get the user permissions from the access_token, since the access_token is only meant to be sent to your API.

Today, you'd have to create a rule and add the user permissions to your id_token, and then you can use regular getUser to get the contents of the id_token. Another solution would be to create an API endpoint like /account-info or something else that gets the access_token from the Authorization header and gets the user permissions based on that. Both of the approaches will achieve the same result, just in a different way.

FYI scope is an officially registered _claim_ name and is part of JWT:
https://www.iana.org/assignments/jwt/jwt.xhtml

this is only true if the scope somehow changes and you get a different scope than you asked for

In RBAC roles are exposed as scope claims. And when you have 10 different roles, then you ask for all of them when authenticating and Auth0 will issue a token with only the applicable ones.

TLDR is that your app shouldn't try to get the user permissions from the access_token ...

This is sort of religious statement. Usually the answer to this sort of _argument_ is: _It is not for you to decide what I want to do with the token - it is transparent_.

The lack of a specific getAuthTokenClaims() method is not the end of the world but _hidden_ .decode() method (the same used to decode id_token internally) does not make sense at all, we (developers) could just use that to quickly decode the access_token to retrieve necessary claims.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

Was this page helpful?
0 / 5 - 0 ratings