Auth0 Authorization rule seems not to save

patrick.davis · January 16, 2020, 4:33pm

Hi All,

I am currently using the authorization extension. The rule seems to be catched on the server side. The rule code is the default below…

/*
*  This rule been automatically generated by auth0-authz-extension
*/
function (user, context, callback) {
  var _ = require('lodash');
  var EXTENSION_URL = "[redacted]";

  var audience = '';
  audience = audience || (context.request && context.request.query && context.request.query.audience);
  if (audience === 'urn:auth0-authz-api') {
    return callback(new UnauthorizedError('no_end_users'));
  }

  audience = audience || (context.request && context.request.body && context.request.body.audience);
  if (audience === 'urn:auth0-authz-api') {
    return callback(new UnauthorizedError('no_end_users'));
  }

  getPolicy(user, context, function(err, res, data) {
    if (err) {
      console.log('Error from Authorization Extension:', err);
      return callback(new UnauthorizedError('Authorization Extension: ' + err.message));
    }

    if (res.statusCode !== 200) {
      console.log('Error from Authorization Extension:', res.body || res.statusCode);
      return callback(
        new UnauthorizedError('Authorization Extension: ' + ((res.body && (res.body.message || res.body) || res.statusCode)))
      );
    }

    // Update the user object.
    user.groups = data.groups;
    user.roles = data.roles;
    user.permissions = data.permissions;

    // Store this in the user profile (app_metadata).
    saveToMetadata(user, data.groups, data.roles, data.permissions, function(err) {
      return callback(err, user, context);
    });
  });
  
  // Convert groups to array
  function parseGroups(data) {
    if (typeof data === 'string') {
      // split groups represented as string by spaces and/or comma
      return data.replace(/,/g, ' ').replace(/\s+/g, ' ').split(' ');
    }
    return data;
  }

  // Get the policy for the user.
  function getPolicy(user, context, cb) {
    request.post({
      url: EXTENSION_URL + "/api/users/" + user.user_id + "/policy/" + context.clientID,
      headers: {
        "x-api-key": configuration.AUTHZ_EXT_API_KEY
      },
      json: {
        connectionName: context.connection || user.identities[0].connection,
        groups: parseGroups(user.groups)
      },
      timeout: 5000
    }, cb);
  }

  // Store authorization data in the user profile so we can query it later.
  function saveToMetadata(user, groups, roles, permissions, cb) {
    user.app_metadata = user.app_metadata || {};
    user.app_metadata.authorization = {
      groups: groups,
      roles: roles,
      permissions: permissions
    };

    auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
    .then(function() {
      cb();
    })
    .catch(function(err){
      cb(err);
    });
  }
}

however the error that I am getting seems to be related to old code

"error": {
      "message": "Authorization Extension2: {\"statusCode\":401,\"error\":\"Unauthorized\",\"message\":\"Missing authentication\"}",
      "oauthError": "unauthorized",
      "type": "oauth-authorization"
    },

the “Extension2” was a string that I added to one of the errors however it does not exist in the current code.

I have tried the following

recreated the rule as a different rule
Turned off the authorization rule (it still seems to run)
Turned on and off the API
deleted the different users
uninstall and reinstalled and recreated the extension configuration (using the default rule above)

Interestingly enough when I run the rule through he “try” button it runs as expected.

Any other ideas?

** Edited for formatting

dan.woda · January 16, 2020, 6:09pm

Hi @patrick.davis,

It shouldn’t be caching like that. Can you DM me your tenant name so I can check it out?

Thanks,
Dan

dan.woda · January 16, 2020, 6:33pm

It looks like the error is coming from the Add persistent attributes to the user rule.

patrick.davis · January 16, 2020, 7:33pm

Yes I think you are right. I must have replaced that rule with the one that I was troubleshooting at the time.

Can I make a suggestion for a new feature to add some information to the context in the log on which rule it fails in if it is a error in a rule?

dan.woda · January 16, 2020, 7:42pm

Absolutely! You can submit feature requests to our feedback page. It is a direct line to our product team.

In addition, I would encourage you to consider switching to the core RBAC functionality vs the extension.

Hope this helps!

Thanks,
Dan

patrick.davis · January 17, 2020, 2:16pm

Thank you for your help. I will look into the core RBAC.

dan.woda · January 17, 2020, 6:42pm

Good Luck! Let us know if you need help with anything else.

dan.woda · January 31, 2020, 10:42pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authorization Extension roles not available Get Help authorization-extens	6	6060	July 25, 2019
Bug in Authorization extension 'Add User to Groups' API (not always working correctly in rule) Get Help authorization-extens , groups , rule , not-working	2	5097	March 2, 2018
Errors when setting up Authorization Extensions Get Help	5	4565	March 6, 2019
Authorization Extension: Invalid API Key error Get Help authorization-extens , extensions	1	3992	August 5, 2019
Authorization Extension does not populate user object Get Help nodejs	3	4164	February 26, 2019

Auth0 Authorization rule seems not to save

Related topics