I’ve found the problem - but it’s still perplexing!
So I went back over the config and checked the 3 things you mentioned. All were fine.
- “Enable RBAC” and “Add Permissions in the access token” is 100% saved.
- The user definitely has the Reader role
- The role definitely has the Permissions
I missed out an important bit of information in my original post to you about the Regular Web Application that I set up to talk my API… it is set up for Business Users with the 1st option Prompt for user credentials first
If I switch this back to Individual Users (the default when you set up a Regular Web Application) then I get the expected read:weather permission in my token as shown below
{
"iss": "https://{removed}.{removed}.auth0.com/",
"sub": "auth0|{removed}",
"aud": [
"https://cloudoko-portal-api/"
],
"iat": 1738402793,
"exp": 1738489193,
"scope": "openid profile email",
"azp": "{removed}",
"permissions": [
"read:weather"
]
}
(Obviously the org_id claim is now removed too)
Interestingly, I also set up a separate Single Page Application, downloaded the Vanilla Js Quickstart and configured that. As with the .NET example, when I call for an access token for the same API audience we were trying before (https : // cloudoko-portal-api) with Individual Users set, then I get the read:weather permission. But again if I set that SPA application to Business Users* then I get an empty array.
So I think we’ve found the problem, but what could be the issue here? Is this a bug in the RBAC / Permissions in token feature for SPA and Regular Web Apps when you set the user type to Business Users Only* or am I driving the Auth0 SDK incorrectly both in my .NET and Js code?
Are you able to recreate my issue too?
A bit of background on our use case - we’re updating our SaaS platform to use Auth0 for authentication and we work with users that work for different organisations. We have a “tenant” concept that we wish to map on to Auth0 organisations (on paper they’re a perfect match). Also for our own “Admin” users - the people that work for us and need to support the product - we want to be able to log in under customer organisations so that we can diagnose issues etc.
Thanks
Matt