Find Requested Scopes in Actions for "Refresh token", "Client Credential Exchange" or "Resource Owner Password Grant"

This article explains how to locate relevant scopes for Refresh Token, Client Credentials, and Resource Owner Password Grant (ROPG) flows in Auth0 Actions. During standard interactive logins, requested scopes are available in the event.transaction.requested_scopes array. However, in non-interactive flows, this property does not contain the expected information, so alternative locations within the event object must be used.

• Auth0 Actions
• Refresh Token
• Client Credentials
• Resource Owner Password Grant (ROPG)

To identify scopes in non-interactive flows, use the specific locations and triggers described below.

Refresh Token Exchange

When a client uses a Refresh Token to obtain a new Access Token, the scopes are typically requested during the initial login rather than during the refresh exchange.

The scopes previously granted and tied to the current Refresh Token can be accessed with event.refresh_token.resource_servers array.

NOTE: Access to the event.refresh_token object in the Post-Login Action is an Enterprise feature.

During the refresh token call, if the client passes scopes, they can be accessed via event.request.body.scope.

Client Credentials Exchange

The Client Credentials grant is used by machine-to-machine applications to authenticate. This flow uses the Machine-to-Machine (Credentials Exchange) Action trigger.

Locate the requested scopes in the event.transaction.requested_scopes array.

Resource Owner Password Grant

The ROPG is a flow where the client application handles credentials directly and triggers the Post-Login Action. Locate the raw scope string within event.request.body.scope.