Add Auth0 Authentication to Blazor Web Apps

Hi @andrea.chiarelli

I’ve found the problem - but it’s still perplexing!

So I went back over the config and checked the 3 things you mentioned. All were fine.

  1. “Enable RBAC” and “Add Permissions in the access token” is 100% saved.
  2. The user definitely has the Reader role
  3. The role definitely has the Permissions

I missed out an important bit of information in my original post to you about the Regular Web Application that I set up to talk my API… it is set up for Business Users with the 1st option Prompt for user credentials first

If I switch this back to Individual Users (the default when you set up a Regular Web Application) then I get the expected read:weather permission in my token as shown below :thinking:

{
  "iss": "https://{removed}.{removed}.auth0.com/",
  "sub": "auth0|{removed}",
  "aud": [
    "https://cloudoko-portal-api/"
  ],
  "iat": 1738402793,
  "exp": 1738489193,
  "scope": "openid profile email",
  "azp": "{removed}",
  "permissions": [
    "read:weather"
  ]
}

(Obviously the org_id claim is now removed too)

Interestingly, I also set up a separate Single Page Application, downloaded the Vanilla Js Quickstart and configured that. As with the .NET example, when I call for an access token for the same API audience we were trying before (https : // cloudoko-portal-api) with Individual Users set, then I get the read:weather permission. But again if I set that SPA application to Business Users* then I get an empty array.

So I think we’ve found the problem, but what could be the issue here? Is this a bug in the RBAC / Permissions in token feature for SPA and Regular Web Apps when you set the user type to Business Users Only* or am I driving the Auth0 SDK incorrectly both in my .NET and Js code?

Are you able to recreate my issue too?

A bit of background on our use case - we’re updating our SaaS platform to use Auth0 for authentication and we work with users that work for different organisations. We have a “tenant” concept that we wish to map on to Auth0 organisations (on paper they’re a perfect match). Also for our own “Admin” users - the people that work for us and need to support the product - we want to be able to log in under customer organisations so that we can diagnose issues etc.

Thanks
Matt

Hey @matthew.wynn,
This clarifies the reason for that behavior.

Users can have different roles based on the Organization to which they belong. A user can be an admin in one Organization but just a reader in another org.
The role you assign to a user regardless of an Organization is only considered when the user accesses as an Individual.

In your case, your user has a role assigned when the user accesses as an individual, but your configuration requires only members of an Organization, so the role associated with the user is ignored.

When you use Organizations, the roles must be assigned at the Organization level.

Here is a starting point for learning more about the login flows for Organizations.

I hope this helps clarify.

Thanks @andrea.chiarelli - you solved my issue.

The problem was that the role was assigned at the user level (and I never spotted that Auth0 gives you the ability to do that assignment at the organisation level). This makes perfect sense, when you log in as your user within a certain organisation your role may also be different.

I’m very happy to say that I now get permissions back in the access token when the application is set to required Business Users which is a big relief - as it means we can resume our SaaS platform migration to move to Auth0! :tada:

1 Like

That’s a great news, @matthew.wynn! :tada: :partying_face:
Happy to have helped you!