nextjs-auth0: Custom Scopes not being picked up from scope param.
Describe the problem
I’m using the Organisation feature coupled with a SPA Application that ties with a certain Custom API I’ve created.
What normally happens is a user that is already registered to an Organization, logs in using that organization, and then they are redirected back to my Client-Side for which I’m authenticating my users. They should receive an access token when calling the getAccessToken() function provided from @auth0/nextjs-auth0 package, with the custom scopes I’ve set up in the […auth0].js file, meant for the audience of my custom API.
Custom Scopes are not being picked up for the access token. I’ve set up the audience for my custom API which is created in the Auth0 dashboard. In the scopes param of authorizationParam during the execution of the handleLogin() function, I’ve added ‘openid profile email …my custom scopes…’. They were being picked up fine up until this week, and I have no idea why the custom scopes are not being picked up - it kinda seems like Auth0 is just ignoring them as they don’t exist but I double-checked and they are created for my custom API.
What was the expected behavior?
Well, when we set up the correct audience and then add the desired scopes, when using the getAccessToken() function, I should’ve seen the scopes contained in that JWT, but only ‘openid profile email’ are being picked up.
Reproduction
import { handleAuth, handleLogin } from '@auth0/nextjs-auth0';`
export default handleAuth({
async login(req, res) {
try {
await handleLogin(req, res, {
authorizationParams: {
audience: 'my-custom-api',
scope: 'write:payment read:transaction read:transactions read:utilities write:beneficiaries read:account openid profile email'
},
});
} catch (error) {
res.status(error.status || 400).end(error.message);
}
}
});
Environment
"@auth0/nextjs-auth0": "^1.7.0",- NextJs
- I’ve enabled RBAC in the API and pretty much every configuration you’d have to make to make this work from the Auth0 dashboard side.
- One thing I’ve played around in the config from Auth0 Dashboard is disabling and enabling the Auto-Membership option in the Connections - specifically in GoogleOAuth Connection type.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 18 (6 by maintainers)
@adamjmcgrath I finally found what was wrong. The reason why it wasn’t working was because in Organizations at members, I haven’t assigned a role to my user containing those scopes/permissions. Now even though going to my user under Users left panel option, the user had all scopes/permission I was requesting, but when it comes to organizations, you must give the user a Role in the context of the organization for the Scopes to be picked up.
Thanks for the assistance, I highlighted some parts if anyone else stumbles on that issue.
Dude you’ve saved me so much time. I wish the Auth0 documentation was clear abut this being a requisite when turning on the Organizations feature.
Ah, ok - thanks @enjon-appstellar, so the problem is with the Client.
Now if I update the sample app and change https://github.com/auth0/nextjs-auth0/blob/main/examples/basic-example/pages/api/auth/[auth0].ts to
Then visit
/api/auth/login, I get redirected tohttps://adam-spa-test.us.auth0.com/authorize?client_id=GTENZRqsQrjJIa1mhPpylDpiRpoZAKmI&scope=write%3Apayment%20read%3Atransaction%20read%3Atransactions%20read%3Autilities%20write%3Abeneficiaries%20read%3Aaccount%20openid%20profile%20email&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback&audience=my-custom-api&nonce=yT3m1bTEmpKgCRSsTx3pwNZFrmJGQlLysWxTfCeqOpY&state=eyJyZXR1cm5UbyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCJ9&code_challenge=tWSHPVzm0OFYhgyJvL5WyzDBe_WbuJx29cTs63opVL0&code_challenge_method=S256With the expected scope parameter:
write:payment read:transaction read:transactions read:utilities write:beneficiaries read:account openid profile emailSo I can’t reproduce your issue with the information you’ve given me. I think in order to proceed you’ll need to share a simple app that demonstrates the issue.