Customizing the scope of access tokens using Auth0 Actions

Security business menu

Security business
HOME

To be elected
cause

Service

Handling Manufacturer

Examples/reports/
Blog/Glossary

Seminar/
video on demand

TOP

Products/Services

product
- Okta Workforce Identity
- Auth0

Specifications/Technical Information

Specifications/Technical Information
- Okta Workforce Identity Basic Setup Guide
- Auth0 Basic Setup Guide

solution

solution
- Okta Solutions - Zero Trust with Okta

User stories

support

- Macnica Support

Seminar content

Document request

inquiry

Event/Seminar

video on demand

Okta

Octa

Customizing the scope of access tokens using Auth0 Actions

Introduction

Auth0 provides the Actions feature, which enables custom logic in authentication and authorization. In August 2023, the following three feature updates were made:

SAML response customization for logged-in users
Scope customization in access tokens
Expanding available user information

This page introduces specific configuration examples for achieving scope customization of access tokens.
For information on customizing SAML responses for logged-in users, see Customizing SAML Responses Using Auth0 Actions.

premise

The information regarding the functions and settings described on this page is current as of August 2023.
For an overview of the Actions feature and basic setup instructions, see Auth0 Actions: Customizing Tokens.

Feature update overview

The updated features are as follows.

Scope customization in access tokens
A function to add and delete scopes in access tokens has been added as an API Object for Login Flow. Scopes can be added or deleted depending on the request source information, etc.
The added API Object will be api.accessToken.addScope/api.accessToken.removeScope. For more information, see Actions Triggers: post-login - API Object - Auth0 docs.

Setting and operation example

This section describes how to customize the scope of an access token using the Action function, along with examples of settings and operations.

Configuration example: Customizing scope for access token

This time, we will add scope to the access token depending on the country information of the access source and the conditions of the requested resource.

Create a new Action and incorporate the created Action into Triggers: post-login.
For instructions on how to integrate, see Customizing SAML responses using Auth0 Actions.

In the code editor, write the logic to be realized (JavaScript)
*Only the minimum necessary processing is listed

exports.onExecutePostLogin = async (event, api) => {
  if (event.request.geoip.countryCode === 'JP' && event.request.query.audience === 'https://example.com') {
    api.accessToken.addScope("read:jp");
  }
};

Example: Customizing scope of access token

Use the Authorization Code Flow to check the token customization process using the Action you created. For the required settings, see Authorization Code Flow (Access Token & ID Token) in Auth0.

1. Request an authorization code from the Auth0 /authorize endpoint (access the following URL in a web browser)

https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/authorize?audience=https://example.com&response_type=code&scope=openid profile email&client_id=Bb9P6WoNhg0XIBnpSNLxd284ChfCxUIq&redirect_uri=https://example.com

2. Authentication screen display by Auth0: Perform user authentication

3. Transition to the redirect destination specified in 1.: Check the authorization code from the URL

https://example.com/?code=LfsgBMfG4Gs_TxysEr_6yXREFb2W10a0UrL9VIwEzZpjz

4. Access the Auth0 /oauth/token endpoint to get an access token.

> curl -X POST --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=authorization_code&client_id=Bb9P6WoNhg0XIBnpSNLxd284ChfCxUIq&client_secret=quS8KFlWCT7UUtOdHvzIMKaip72Ut2dy0KgQproakBP9hXh4_yxixB1d5u_L4MKN&code=LfsgBMfG4Gs_TxysEr_6yXREFb2W10a0UrL9VIwEzZpjz&redirect_uri=https://example.com'

Result (scope addition confirmed)

{
	"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp...(略)...uddoylYsMiU_cxfgUXQ",
	"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVC...(略)...reTo69XG_wKEv3otwug",
	"scope":"openid profile email read:jp",
	"expires_in":86400,
	"token_type":"Bearer“
}

5. Check the obtained access token ※Decode the access token with jwt.io

Decoded access token (confirm scope addition)

{
	"iss": "https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/",
	"sub": "auth0|642637dc3d0fd8dd93fedd90",
	"aud": [
	"https://example.com",
	"https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/userinfo"
	],
	"iat": 1694236566,
	"exp": 1694322966,
	"azp": "Bb9P6WoNhg0XIBnpSNLxd284ChfCxUIq",
	"scope": "openid profile email read:jp"
}

in conclusion

This time, we introduced how to customize the scope of the access token in the update of the Actions function. Since the EOL (End of Life) announcement for the Rules/Hooks function has been made, it is expected that more processes that can be implemented with the Actions function will be added in the future.

We will continue to update the information as updates are implemented.