Auth0 Core roles and permissions not in access token

I went through the guide for adding roles and permissions using the Auth0 extension. This works fine.

Auth0 says the Auth0 extension is deprecated however, and to use Auth0 core instead. So the task for me was to migrate to core auth. To do that, I took the sample app and started adding core roles and permissions.

I’ve added two permissions to my api and my user: create:timesheets and read:timesheets.

I’ve enabled rbac for my api, and asked to include the permissions in my token.

I still have the auth0 extension rule in place.

I’ve added a jwtAuthz check in the simple express server provided with the sample app above.

In the sample app, where you go to ping an external api, i grab a token like so:

  const token = await getAccessTokenSilently({
    scope: 'create:timesheets',
  });

Now when I click “ping api”, I get a message " You need to consent to get access to users api". If I click that link, I get a generic login, which just repeats the same message.

If I examine the token, it does not include the requested scope.

If I look at authenticated applications for this user, the app in question is there as expected.

What am I missing? Should I just use the auth0 extension in the end? Is there an example of using core auth roles and permissions somewhere?

Thanks,

Julian

It turns out that the auth0 extension rule is specifically excluding the permissions from my token. Disabling that rule fixes the problem. It doesn’t appear to do what it claims to do.

1 Like

I can also answer the other part of my question, which was really about requesting a scope not at login, but when you actually need it. And I can confirm this works too. There was just some changes to (react) state management needed, and critically, matching invocations in callApi and handleConsent (in ExternalApi.js):

       await getAccessTokenWithPopup({
        scope: 'openid profile email create:timesheets',        
      });

and

      const token = await getAccessTokenSilently({
        scope: 'openid profile email create:timesheets',
      });
1 Like

Glad you have figured it out and thanks for sharing with the rest of community!