Access token empty on successful login

Hi all

i have created a new react-application and used Auth0 for the authentication… i set up a user for Username-Password-Authentication… the code i use for login is as follows…

> this.auth0.client.login({
>       realm: 'Username-Password-Authentication',
>       scope: 'openid profile',
>       username,
>       password
>     }, (err, authResult) => {
>       if (err) {
>         alert('Error: ' + err.description)
>         return
>       }

it returns me the id_token no problem, which i got working with the help of other threads in here thanks very much… the access_token it returns is empty from what i can tell… it’s about 30 characters long and does not even register with the debugger, and certainly does not contain any permissions which i need it to. There is a rule in place which returns this information if i log into our original application and i assumed this rule would fire before returning the access_token in the added application as well, but it seems not, and i don’t see any config i missed in the dashboard… I have another user which is older which i can get a successful login with as well using the realm ‘Postgres-User-Store’ but the result is the same, id_token is fine but access_token no good… Can anyone point me in the right direction here?


Updated: i added audience to the client setup and now i get part of what i would be expecting in the access token, but still not the permission metadata

Hi @greg6,

It sounds like you were getting an opaque token, but you got that part figured out.

Are you requesting permissions? And are the permissions from RBAC or the application settings?

Let me know.


Hey @dan.woda

The RBAC settings in the audience API are disabled… There is a rule that executes that loads the permissions into the token in our main app, but it does not seem to execute when i run it the way i am, using the Postgres-User-Store with a username and password… The SSO seemed like overkill in the app i am using this for so i thought this would be an easier solution… Perhaps i am missing a step to request the permissions that i am not aware of?


Can you post the code to your rule?


> function (user, context, callback) {
>   if(user.user_metadata.full_name){
> = user.user_metadata.full_name;
>   }
>   var namespace = '';
>   var scopeArray = user.app_metadata.permissions;
>   var scopeString = scopeArray.toString().replace(/,/g,' ');
>   //set scopes for api access via permissions of user.
>   context.accessToken[namespace + 'email'] =;
>   context.accessToken.scope = 'openid profile email ' + scopeString;  
>   context.idToken[namespace + 'role'] = user.app_metadata.roles;
>   context.idToken[namespace + 'user_data'] = user.user_metadata;
>   context.idToken[namespace + 'legacyUser'] = user.app_metadata.legacyUser;
>   context.idToken[namespace + 'initialLogin'] = context.stats.loginsCount <= 1?true:false;
>   callback(null, user, context);
>  }

I just noticed in the logs that whenever i log in with a password an API operation runs for “Update A User” and it blanks my roles and permissions so this could be the culprit… but i am not calling that myself… my code simply calls the login… That API Operation does not appear when i log into the main app with the SSO… but when i do that, permissions and roles reappear for my user… Now i am more confused than before!!

Hi @greg6,

The rule you posted looks good. You should be getting a result from it to confirm. It could be a conflict with another rule.

Would you send me you tenant name in a DM?

I would like to take a look at your rules. Also, do you have any hooks running?


No hooks running, i’ll dm you

Hi @greg6,

Can you please DM me a HAR file of the transaction so I can investigate further?

I think the problem may be that you are not requesting the permissions with the request. Rules run after successful authentication, which could be causing the problem here.

Let me know.


Hi there, I’m another Dev that works with @greg6, I figured this out, it was the permissions themselves they were scoped for another single page application we have configured.

Hi @jeremy76,

Glad it was figured out!

Good luck,

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.