I’m using Auth0 for application authentication and I’m using API Permissions for more fine-grained authz. Most of it is working, but I’m at a loss on how to get the API Permissions into the User.Claims.
I’m able to get the right permissions from the access token using HttpContext.GetTokenAsync(“access_token”)
But, I was expecting the API permissions to be included in User.Claims
Should the API permissions be there by default or do I have to do something special?
I have flipped the bit in settings for RBAC and include in Access Token, and they are there.
But they just don’t show up in User.Claims. I could look at creating a customerAuthenticationStateProvider, but I think I’m missing something simple.
After additional investigation I can tell that the role-based API permissions are intended to be present in the Access Token and with the Actions Script it’s possible to only enrich the ID token with Roles cliam.
One way that comes to my mind, if you need this data within the ID token, is to update the user’s app_metadata or user_metadata object with the API permissions and add a custom claim to the ID token containing this metadata (in a similar way you added the Roles claim).
This Management API endpoint lists user’s permissions (both assigned directly and ones that come from Role assignment) - Auth0 Management API v2
They are listed per the resource_server_identifier (your API identifier).
In the Actions script you can also refer to the event.resource_server object and try to use this identifier to extract only the relevant for the login context API permissions.