next-auth - Relying On Okta Default Scopes Specified In Access Policies

Question

I'm working on a Next.js application that uses Okta as an identity provider. I'm new to OIDC, and appreciate any corrections on terminology or misunderstandings I have.

The app uses a custom API Authorization Server in Okta, and users log in with the authorization code flow. Currently the Authorization Server is configured with a number of custom scopes that define permissions the users may be granted, and all of those scopes are defaults. We use Access Policies to control which of those default policies are granted to users based on group membership as a form of role based access control. So, if a user is a member of the MyAppReadWrite group, they could get myapp:api:read and myapp:api:write scopes in addition to the openid that is required in the authorization code flow.

The default options for next-auth that I see here are to request openid, email, and profile:

export default function Okta<P extends OktaProfile>(
  options: OAuthUserConfig<P>
): OAuthConfig<P> {
  return {
    id: "okta",
    name: "Okta",
    type: "oauth",
    wellKnown: `${options.issuer}/.well-known/openid-configuration`,
    authorization: { params: { scope: "openid email profile" } },
    idToken: true,
    profile(profile) {
      return {
        id: profile.sub,
        name: profile.name ?? profile.preferred_username,
        email: profile.email,
        image: profile.picture,
      }
    },
    style: { logo: "/okta.svg", bg: "#000", text: "#fff" },
    options,
  }
}

When I log in to the app and introspect the token I get back from Okta, it correctly has those three scopes (and their associated claims) as I expect. However, I know from interacting with the authorization server directly in Postman that if I omit the scope parameter entirely Okta will issue me back any default scopes that are permitted in the Access Policy that I match on. I want to do that same thing in next-auth so that users are issued the scopes appropriate for their role automatically on login. I've tried to override these defaults by setting the scopes to either undefined or "" but when I do so my login attempts fail with the error Try signing in with a different account.

How can I omit scopes entirely from the next-auth request to Okta? Or, if there is a more appropriate way to be issued the correct scopes for a user's role in Okta, how do I accomplish that if not through default scopes and access policies?

Thank you!

Answer 1

I think you could use a more standard and productive approach, since trying to use scopes for a user's role will add a lot of complexity.

SCOPES

Scope values are fixed at design time so you cannot use them for properties that vary per user, like roles. Instead, start with a scope to represent your app's business area, eg sales. Then combine that with any built in OIDC scopes like openid profile email.

SCOPES CONTAIN CLAIMS

In Okta you can configure custom claims and associate them to scopes. So when a client requests a sales scope you might configure Okta to issue a role claim and a subscription_level claim to access tokens. Unlike scopes, claims are assigned values for the runtime user. You need to instruct Okta how to assign those values.

Note also that this is how the OIDC standard scopes and claims work. Eg the profile scope contains given_name and family_name claims.

BENEFITS

• Your Next app and any APIs only need simple code to send and receive tokens.
• Better API security since your APIs can easily reject access tokens for another business area.
• It is a pattern that you can easily extend - in OAuth you should be able to issue any custom scopes and claims to access tokens that your APIs need.

Answer 2

You can request all the scopes you desire, regardless of whether the user has access to them. Okta will only return the authorized scopes, even if you asked for others.

I believe the Okta provider has some defaults. If you want to totally remove them, you can also create a custom provider based on the current Okta provider and remove the scope parameter completely. NextAuth doesn’t have an internal default for all providers.