Auth0 Authorization rule seems not to save

Hi All,

I am currently using the authorization extension. The rule seems to be catched on the server side. The rule code is the default below…

*  This rule been automatically generated by auth0-authz-extension
function (user, context, callback) {
  var _ = require('lodash');
  var EXTENSION_URL = "[redacted]";

  var audience = '';
  audience = audience || (context.request && context.request.query && context.request.query.audience);
  if (audience === 'urn:auth0-authz-api') {
    return callback(new UnauthorizedError('no_end_users'));

  audience = audience || (context.request && context.request.body && context.request.body.audience);
  if (audience === 'urn:auth0-authz-api') {
    return callback(new UnauthorizedError('no_end_users'));

  getPolicy(user, context, function(err, res, data) {
    if (err) {
      console.log('Error from Authorization Extension:', err);
      return callback(new UnauthorizedError('Authorization Extension: ' + err.message));

    if (res.statusCode !== 200) {
      console.log('Error from Authorization Extension:', res.body || res.statusCode);
      return callback(
        new UnauthorizedError('Authorization Extension: ' + ((res.body && (res.body.message || res.body) || res.statusCode)))

    // Update the user object.
    user.groups = data.groups;
    user.roles = data.roles;
    user.permissions = data.permissions;

    // Store this in the user profile (app_metadata).
    saveToMetadata(user, data.groups, data.roles, data.permissions, function(err) {
      return callback(err, user, context);
  // Convert groups to array
  function parseGroups(data) {
    if (typeof data === 'string') {
      // split groups represented as string by spaces and/or comma
      return data.replace(/,/g, ' ').replace(/\s+/g, ' ').split(' ');
    return data;

  // Get the policy for the user.
  function getPolicy(user, context, cb) {{
      url: EXTENSION_URL + "/api/users/" + user.user_id + "/policy/" + context.clientID,
      headers: {
        "x-api-key": configuration.AUTHZ_EXT_API_KEY
      json: {
        connectionName: context.connection || user.identities[0].connection,
        groups: parseGroups(user.groups)
      timeout: 5000
    }, cb);

  // Store authorization data in the user profile so we can query it later.
  function saveToMetadata(user, groups, roles, permissions, cb) {
    user.app_metadata = user.app_metadata || {};
    user.app_metadata.authorization = {
      groups: groups,
      roles: roles,
      permissions: permissions

    auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
    .then(function() {

however the error that I am getting seems to be related to old code

"error": {
      "message": "Authorization Extension2: {\"statusCode\":401,\"error\":\"Unauthorized\",\"message\":\"Missing authentication\"}",
      "oauthError": "unauthorized",
      "type": "oauth-authorization"

the “Extension2” was a string that I added to one of the errors however it does not exist in the current code.

I have tried the following

  • recreated the rule as a different rule
  • Turned off the authorization rule (it still seems to run)
  • Turned on and off the API
  • deleted the different users
  • uninstall and reinstalled and recreated the extension configuration (using the default rule above)

Interestingly enough when I run the rule through he “try” button it runs as expected.

Any other ideas?

** Edited for formatting

1 Like

Hi @patrick.davis,

It shouldn’t be caching like that. Can you DM me your tenant name so I can check it out?


1 Like

It looks like the error is coming from the Add persistent attributes to the user rule.

Yes I think you are right. I must have replaced that rule with the one that I was troubleshooting at the time.

Can I make a suggestion for a new feature to add some information to the context in the log on which rule it fails in if it is a error in a rule?

1 Like

Absolutely! You can submit feature requests to our feedback page. It is a direct line to our product team.

In addition, I would encourage you to consider switching to the core RBAC functionality vs the extension.

Hope this helps!


1 Like

Thank you for your help. I will look into the core RBAC.

1 Like

Good Luck! Let us know if you need help with anything else.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.