Auth0 Core roles and permissions not in access token

julian3 · January 16, 2021, 12:06am

I went through the guide for adding roles and permissions using the Auth0 extension. This works fine.

Auth0 says the Auth0 extension is deprecated however, and to use Auth0 core instead. So the task for me was to migrate to core auth. To do that, I took the sample app and started adding core roles and permissions.

I’ve added two permissions to my api and my user: create:timesheets and read:timesheets.

I’ve enabled rbac for my api, and asked to include the permissions in my token.

I still have the auth0 extension rule in place.

I’ve added a jwtAuthz check in the simple express server provided with the sample app above.

In the sample app, where you go to ping an external api, i grab a token like so:

  const token = await getAccessTokenSilently({
    scope: 'create:timesheets',
  });

Now when I click “ping api”, I get a message " You need to consent to get access to users api". If I click that link, I get a generic login, which just repeats the same message.

If I examine the token, it does not include the requested scope.

If I look at authenticated applications for this user, the app in question is there as expected.

What am I missing? Should I just use the auth0 extension in the end? Is there an example of using core auth roles and permissions somewhere?

Thanks,

Julian

julian3 · January 19, 2021, 12:52am

It turns out that the auth0 extension rule is specifically excluding the permissions from my token. Disabling that rule fixes the problem. It doesn’t appear to do what it claims to do.

julian3 · January 19, 2021, 1:22am

I can also answer the other part of my question, which was really about requesting a scope not at login, but when you actually need it. And I can confirm this works too. There was just some changes to (react) state management needed, and critically, matching invocations in callApi and handleConsent (in ExternalApi.js):

       await getAccessTokenWithPopup({
        scope: 'openid profile email create:timesheets',        
      });

and

      const token = await getAccessTokenSilently({
        scope: 'openid profile email create:timesheets',
      });

konrad.sopala · January 19, 2021, 9:33am

Glad you have figured it out and thanks for sharing with the rest of community!

Topic		Replies	Views
Doubts about how to obtain user roles in a SPA Help auth0 , roles , react	2	2515	December 16, 2021
RBAC and Plans and which method Help react , rbac	2	3296	May 20, 2021
Auth0 .NET Core 3.1 JWT Authorization How JWT.io	9	4056	July 24, 2020
Flow for fetching a user's role and permissions Help react	2	4902	September 30, 2022
Stuck implementing on authorization (react web app / node.js api server) Help	4	2926	December 15, 2020

Auth0 Core roles and permissions not in access token

Related Topics