Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v4: No way to decode access token or retrieve access token scopes #1867

Open
5 tasks done
mogzol opened this issue Jan 23, 2025 · 1 comment
Open
5 tasks done

v4: No way to decode access token or retrieve access token scopes #1867

mogzol opened this issue Jan 23, 2025 · 1 comment

Comments

@mogzol
Copy link

mogzol commented Jan 23, 2025
edited
Loading

Checklist

  • I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

In v3 of the library, you could get the access token scopes from session.accessTokenScope. In v4, there doesn't seem to be any way to access the access token's scopes, or even to decode the access token at all. Is there a recommended way to do this?

Describe the ideal solution

The library should provide the access token's scopes like it did before, and/or provide the whole decoded access token, or a way to decode it.

Alternatives and current workarounds

Currently I am working around this by decoding the access token using jose, in the same way the library's internal AuthClient does it. I want to use the same jwksCache though, and it isn't exposed by the library, so I have to cast to unknown in order to access it, which isn't ideal.

import * as jose from "jose";
import auth0 from "./auth0.ts";

const ISSUER = `https://${process.env.AUTH0_DOMAIN}/`;
const JWKS_URI = `${ISSUER}.well-known/jwks.json`;

type TokenWithScope = jose.JWTPayload & { scope: string };

export async function decodeAccessToken(accessToken: string): Promise<TokenWithScope> {
  // Auth0 does not expose the authClient, so we need to cast to a type that exposes the jwksCache
  const jwksCache = (auth0 as unknown as { authClient: { jwksCache: jose.JWKSCacheInput } })
    .authClient.jwksCache;

  const keyInput = jose.createRemoteJWKSet(new URL(JWKS_URI), { [jose.jwksCache]: jwksCache });
  const { payload } = await jose.jwtVerify<TokenWithScope>(accessToken, keyInput, {
    issuer: ISSUER,
    audience: process.env.AUTH0_AUDIENCE,
    algorithms: ["RS256"],
  });

  return payload;
}

Additional context

No response
@guabu guabu mentioned this issue Jan 27, 2025
Merged
@guabu
Copy link

guabu commented Jan 27, 2025

Hi @mogzol 👋 Thanks for reporting this. The access token scopes will be accessible via the token set in the upcoming release, e.g.:

const session = await auth0.getSession()

console.log(session.tokenSet.scope)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mogzol @guabu