Auth0 Authorization rule seems not to save

patrick.davis · January 16, 2020, 4:33pm

Hi All,

I am currently using the authorization extension. The rule seems to be catched on the server side. The rule code is the default below…

/*
*  This rule been automatically generated by auth0-authz-extension
*/
function (user, context, callback) {
  var _ = require('lodash');
  var EXTENSION_URL = "[redacted]";

  var audience = '';
  audience = audience || (context.request && context.request.query && context.request.query.audience);
  if (audience === 'urn:auth0-authz-api') {
    return callback(new UnauthorizedError('no_end_users'));
  }

  audience = audience || (context.request && context.request.body && context.request.body.audience);
  if (audience === 'urn:auth0-authz-api') {
    return callback(new UnauthorizedError('no_end_users'));
  }

  getPolicy(user, context, function(err, res, data) {
    if (err) {
      console.log('Error from Authorization Extension:', err);
      return callback(new UnauthorizedError('Authorization Extension: ' + err.message));
    }

    if (res.statusCode !== 200) {
      console.log('Error from Authorization Extension:', res.body || res.statusCode);
      return callback(
        new UnauthorizedError('Authorization Extension: ' + ((res.body && (res.body.message || res.body) || res.statusCode)))
      );
    }

    // Update the user object.
    user.groups = data.groups;
    user.roles = data.roles;
    user.permissions = data.permissions;

    // Store this in the user profile (app_metadata).
    saveToMetadata(user, data.groups, data.roles, data.permissions, function(err) {
      return callback(err, user, context);
    });
  });
  
  // Convert groups to array
  function parseGroups(data) {
    if (typeof data === 'string') {
      // split groups represented as string by spaces and/or comma
      return data.replace(/,/g, ' ').replace(/\s+/g, ' ').split(' ');
    }
    return data;
  }

  // Get the policy for the user.
  function getPolicy(user, context, cb) {
    request.post({
      url: EXTENSION_URL + "/api/users/" + user.user_id + "/policy/" + context.clientID,
      headers: {
        "x-api-key": configuration.AUTHZ_EXT_API_KEY
      },
      json: {
        connectionName: context.connection || user.identities[0].connection,
        groups: parseGroups(user.groups)
      },
      timeout: 5000
    }, cb);
  }

  // Store authorization data in the user profile so we can query it later.
  function saveToMetadata(user, groups, roles, permissions, cb) {
    user.app_metadata = user.app_metadata || {};
    user.app_metadata.authorization = {
      groups: groups,
      roles: roles,
      permissions: permissions
    };

    auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
    .then(function() {
      cb();
    })
    .catch(function(err){
      cb(err);
    });
  }
}

however the error that I am getting seems to be related to old code

"error": {
      "message": "Authorization Extension2: {\"statusCode\":401,\"error\":\"Unauthorized\",\"message\":\"Missing authentication\"}",
      "oauthError": "unauthorized",
      "type": "oauth-authorization"
    },

the “Extension2” was a string that I added to one of the errors however it does not exist in the current code.

I have tried the following

recreated the rule as a different rule
Turned off the authorization rule (it still seems to run)
Turned on and off the API
deleted the different users
uninstall and reinstalled and recreated the extension configuration (using the default rule above)

Interestingly enough when I run the rule through he “try” button it runs as expected.

Any other ideas?

** Edited for formatting

dan.woda · January 16, 2020, 6:09pm

Hi @patrick.davis,

It shouldn’t be caching like that. Can you DM me your tenant name so I can check it out?

Thanks,
Dan

dan.woda · January 16, 2020, 6:33pm

It looks like the error is coming from the Add persistent attributes to the user rule.

patrick.davis · January 16, 2020, 7:33pm

Yes I think you are right. I must have replaced that rule with the one that I was troubleshooting at the time.

Can I make a suggestion for a new feature to add some information to the context in the log on which rule it fails in if it is a error in a rule?

dan.woda · January 16, 2020, 7:42pm

Absolutely! You can submit feature requests to our feedback page. It is a direct line to our product team.

In addition, I would encourage you to consider switching to the core RBAC functionality vs the extension.

Hope this helps!

Thanks,
Dan

patrick.davis · January 17, 2020, 2:16pm

Thank you for your help. I will look into the core RBAC.

dan.woda · January 17, 2020, 6:42pm

Good Luck! Let us know if you need help with anything else.

dan.woda · January 31, 2020, 10:42pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
auth0-authorization-extension rule only provides groups, not roles or permissions Help authorization-extens	4	4110	September 3, 2019
Auth0-authorization-extension rule doesn't work as-is Help authorization-extens	8	4463	September 3, 2019
Authorization extension - Unauthorized Help authorization-extens , extensions	2	3433	August 26, 2019
Bug in Authorization extension 'Add User to Groups' API (not always working correctly in rule) Help authorization-extens , groups , rule , not-working	2	5080	March 2, 2018
Authorization Extention Migration from Rules to Actions Help extensions , auth0-authorization	5	78	November 15, 2024

Auth0 Authorization rule seems not to save

Related Topics