I went through the guide for adding roles and permissions using the Auth0 extension. This works fine.
Auth0 says the Auth0 extension is deprecated however, and to use Auth0 core instead. So the task for me was to migrate to core auth. To do that, I took the sample app and started adding core roles and permissions.
I’ve added two permissions to my api and my user: create:timesheets and read:timesheets.
I’ve enabled rbac for my api, and asked to include the permissions in my token.
I still have the auth0 extension rule in place.
I’ve added a jwtAuthz check in the simple express server provided with the sample app above.
In the sample app, where you go to ping an external api, i grab a token like so:
const token = await getAccessTokenSilently({
scope: 'create:timesheets',
});
Now when I click “ping api”, I get a message " You need to consent to get access to users api". If I click that link, I get a generic login, which just repeats the same message.
If I examine the token, it does not include the requested scope.
If I look at authenticated applications for this user, the app in question is there as expected.
What am I missing? Should I just use the auth0 extension in the end? Is there an example of using core auth roles and permissions somewhere?
Thanks,
Julian