Customize defaultScope used by auth0Client

[srihari93]

Description

The library includes 'openid profile email' as defaultScope and there is no way for devs to exclude these scopes. Some of our users have lot of unnecessary information in profile and their JWT tokens too big to fit in the Authorization header. We would like to have the flexibility to exclude some scopes, as we have with the auth0-lock.js.

The maintainers suggested that a advancedScope.defaultScope can be used to control defaultScope for cases like us but, keep the default behaviour for other devs. This is an acceptable solution to us and this PR implements the suggestion.

const auth0 = await createAuth0Client({
  client_id: 'cid',
  domain: 'domain.auth0.com',
  advancedOptions: {
    defaultScope: 'openid'
  }
})

The Docs should be changed to add this info.

References

• getUniqueScopes forces DEFAULT_SCOPES to be in scope #228 (comment)
• getUniqueScopes forces DEFAULT_SCOPES to be in scope #228 (comment)

Testing

A simple test is added, please see if thats enough https://github.com/srihari93/auth0-spa-js/blob/a2fc948757362de2bdb3d05f661cd6304fbaacc5/__tests__/index.test.ts#L187-L203

Checklist

• I have added documentation for new/changed functionality in this PR description
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not master

[stevehobbsdev]

Thanks for this @srihari93.

We will need additional tests that cover the other entry points into the SDK that deal with default scopes. I see you've provided a test for getIdTokenClaims, we will need equivalent tests for:

• getTokenSilently
• loginWithRedirect
• getUser
• getTokenWithPopup
• loginWithPopup
• buildAuthorizeUrl

These all process default scopes, either by calling getUniqueScopes directly or through _getParams.

[damieng]

I think we also want to force openid to always be included as well as part of our OIDC Compliance push.

[stevehobbsdev]

@srihari93 As mentioned above, we would need additional tests written plus we need to enforce openid even if the developer specifies other defaults.

This could be done in the constructor here, for example.

this.defaultScope = getUniqueScopes(`openid 
      ${
        this.options.advancedOptions &&
        this.options.advancedOptions.defaultScope
          ? this.options.advancedOptions.defaultScope
          : DEFAULT_SCOPE
      }`);

Let me know if you'd be able to make these changes, or whether you're happy for me to make them on your behalf.

[stevehobbsdev]

Requires changes as mentioned in the comments above. We would like to include this in an up-coming release; let me know if we can make these changes for you.

[srihari93]

@stevehobbsdev Sorry, for being sparse with my communication. If you can make the changes, please go ahead. I had to deprioritize this among my other tasks, so I would appreciate if you can take the feature ahead yourself.

[stevehobbsdev]

Will do, thanks @srihari93

[conorcussell]

If you need an extra pair of hands to get this into the next release, I'd happily make the changes mentioned above @stevehobbsdev

[stevehobbsdev]

Thanks @conorcussell. They're already in progress, I just need to push what I have (hopefully tomorrow). Feel free to chime in on a review once they're there 👍

[stevehobbsdev]

I could not push changes to this PR, so I have now opened #435 to implement this.