Adding permissions in ID token

ahmed.mekliov · March 20, 2024, 5:09pm

Is it considered bad practice in terms of OAuth2 specification to add roles/permissions in ID token?

rueben.tiow · March 20, 2024, 6:50pm

Welcome to the Auth0 Community!

Yes, because the ID token holds information related to the user’s identity, as opposed to an access token, which contains information about a user’s access to protected resources.

This often includes roles and permissions that define the extent of the user’s access to these resources. For example, an Admin role might have CRUD (Create, Read, Update, Delete) permissions, whereas an end-user role might be limited to read-only permissions.

Given that, it’s considered best practice to store roles and permissions in the access token rather than the ID token.

Let me know if you have any additional questions.

Cheers,
Rueben

ahmed.mekliov · March 21, 2024, 8:22am

Hi @rueben.tiow ,
My question is related to a broader topic that we are currently facing. We need to get the permission/roles in FE in order to be able to show/hide different elements. Since the access token is not meant to be used in FE and it is considered bad practice to store the roles in ID token as well I was wondering what would be the best solution for situation like ours.

Regards,
Ahmed

rueben.tiow · March 21, 2024, 4:13pm

Hi @ahmed.mekliov,

Thanks for the reply.

You should be able to use the access token on your front-end application.

See OAuth 2.0 Authorization Framework.

ahmed.mekliov · March 26, 2024, 2:13pm

Hey, @rueben.tiow

Yes, that is true, but is it considered a safe practice, since the access token issued for the resource owners and the FE is just a sending them to BE where the whole validation of the token and checking for the permissions is triggered. And according to OAuth specifications : An access token is used by a client to access a resource. And since there are no resources on FE I didn’t considered access token as valid option initially. What do you think?

Regards,
Ahmed

rueben.tiow · March 29, 2024, 8:43pm

Hi @ahmed.mekliov,

This is true if you are accessing a protected resource. The FE is issued an access token from the BE after validating login credentials. The access token will contain permissions defined by scopes and are used to determine if the user is allowed to access the resource.

Let me mention that you are not prohibited from adding permissions to the ID token, but as we discussed, it’s not ideal if you intend to use them to show/hide different types of data.

Thanks,
Rueben

system · April 12, 2024, 8:43pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.