Auth0 - Insufficient scope

Question

I'm using Auth0 in my Node.js application and I'm facing Insufficient scope error when trying to protect any routes in my app.

I've been searching for a while and I found a bunch of similar problem, but couldn't manage to find the solution.

Essentially, in my node app I have to protect a route as follow:

const checkScopes = jwtAuthz(['read:flights']);

However, I always receive Insufficient scope error when adding the middleware to protect my route:

app.get('/api/permission', checkJwt, checkScopes, (req, res) => {
  res.send({
    msg: 'Your access token AND PERMISSION was successfully validated!'
  });
});

Could you help me please?

Answer 1

you should include a second parameter called "customScopeKey" this way auth0 will use permission instead of scope to validate the user credentials.

use this:

const checkScopes = jwtAuthz(['read:flights'], { customScopeKey: "permissions" });

instead of

const checkScopes = jwtAuthz(['read:flights']);

Answer 2

You can try const checkScopes = jwtAuthz(['read:flights'], { customUserKey: "auth" });

By default, permissions are checked against req.user. However, I noticed in the latest version, req.user is undefined. Instead, the token is under req.auth

Answer 3

You have saved my sanity along with my business. God speed you.

Just to reiterate (with example)...

app.get('/test', jwtCheck, jwtAuthz(['read:generatedLeads'], { customScopeKey: "permissions", customUserKey: "auth" }),  (req, res) => {
    infoLogger.info(FILE_NAME, METHOD, "Health Check is passing...")
    res.status(200).send({health: "Token Accepted"})
})

Adding customUserKey: "auth" as part of the config for jwtAuthz resolved my issue with "insufficient scope" error.