Auth0 Scope should request only authentication, not additional data #46
Description
The call to Auth0 currently is:
<button onclick="widget.signin({ scope: 'openid profile' })" class="btn btn-primary" >Login</button>
This results in Auth0 requesting access to users' Tweets and Twitter followers, LinkedIn Profile information, and Google+ personal data. This is far more information than is required to support simple authentication. This request for additional data may lead users not to proceed, as they may not want Auth0 (or WeAreYVR) to have access to their personal data.
Fortunately, it looks as if we can request authentication only, without personal data access.
According to the Auth0 Docs, the following Scope parameters are available:
scope: 'openid': (default) It will return, not only the access_token, but also an id_token which is a Json Web Token (JWT). The JWT will only contain the user id (sub claim).
scope: 'openid profile': If you want the entire user profile to be part of the id_token.
scope: 'openid {attr1} {attr2} {attrN}': If you want only specific user's attributes to be part of the id_token (For example: scope: 'openid name email picture').
It looks like if we use the default
scope: 'openid':
rather than the current
scope: 'openid profile':
then we might get simple authentication rather than personal profile access. Worth testing to be sure...